PSA: Your Steam account may be at risk

April 8th 2018

In the past few weeks, we have seen a growing number of users lose their items to a sophisticated new attack designed to bypass the Steam Mobile Authenticator. What's worse, the attack makes it appear as if legitimate traders and services have scammed users, when in fact these legitimate traders never received any trades at all.

Here's how the attack works:

  1. The attacker manages to get the victim to enter their Steam username and password on a phishing website; additionally, they gain a single login code as part of the phish. Although they can now login and control your account, they do not have the ability to confirm trades.
  2. Sometime after gaining access to your account, the attacker poses as a trade asking the victim to trade their items to a trade service, such as Marketplace.tf. The user is instructed to click the deposit link directly from Marketplace.tf, which leads them to the trade offer page of a legitimate Marketplace.tf bot. The user sends a trade offer depositing their items to a real Marketplace.tf bot. Nobody has been scammed yet.
  3. As soon as the user sends the trade offer to the real bot, the attackers cancel the trade offer (remember, they have access to the victim's account, just not their mobile authenticator app) and send an identical trade offer to a different account that looks exactly like the intended recipient.
  4. By the time the victim has loaded their Steam Mobile Authenticator confirmations page, the trade offers will already have been swapped. They will see a confirmation for a trade that looks exactly like the one they sent to the real recipient -- but it's the fake one. They confirm it, and their items are never seen again.

It's important to note that this process can be done for any trade offer your account sends after being hijacked -- any time you send an item to someone else, they could swap the trade offers and you would be none the wiser. 

Therefore, if your account has been hijacked, simply avoiding trading with bots or suspicious individuals is not adequate protection. Phishing sites can be extremely convincing and anyone can fall victim to them. After being hijacked, any trade offer you send can be hijacked.

What to Do

Don't worry: there are simple ways to protect yourself.

  • Change your password. This will force their current login session on your account to be terminated. They will lose access to your account, and you will be safe. Even if you don't think you've been hijacked you should consider changing your password. Additionally, changing your password does not give you a temporary trade suspension, as many believe; rather, resetting your password through the "forgot password" menu temporarily suspends you from trading on Steam. Properly changing your password has no penalty.
  • Revoke API Keys. Many times, the account hijackers will set up an API key on your account in order to efficiently control it. Click here to see if your account has an API key registered to it. If so, you should probably revoke it. Unless you specifically remember setting up your API key for a specific task, you do not need one. Even if you do need one, the attackers have almost definitely stolen it, so you should generate a new one to ensure they cannot use  it.
  • Avoid Phishing Websites. I know, easier said than done. That said, there's one way to be 100% safe with Steam logins: whenever a webpage asks for your Steam account credentials, visit the official Steam website in a new tab, and log into it. Then go back to the other website and try logging in through Steam; if it is a legitimate Steam login page, you will not be asked for your username / password; it will simply be a "Sign In" button. This is because you will have already logged into the official Steam website. If it asks for a username or password, you should not log into the website.

It's important to note that it is very difficult to know if your account has been hijacked. If you find your account has an API key attached to it (as mentioned above), and you don't remember setting it up, it's very possible your account has been compromised. Changing your password and revoking your API key will restore your account's security.

Comments
1553402999
Note that this guy or people have several accounts and what i've witnessed so far is that the items get passed around from account to account. I managed to trace down my items a few time but they completely disappeared after that. I reported the accounts and asked them to trace down the trade history of those items. Hopefully they do something. Probably not. Gaben doesn't care.
1553401110
fuck dude I also got scammed but from this account: https://steamcommunity.com/id/Mokky
1553361928
I resently got scammed by https://steamcommunity.com/id/datdankdark/ he sent a fake trade bot and me being an idiot followed his advice and accepted, once he got my items he removed me from his friend list and now i'm out a bunch of items
1553211270
was i the only one that was panicked when it said your account may be compromised, not knowing everybody saw it?
1553204572
It will probably happen to me one day.
1553204547
I feel really sorry for you guys :(
1553188930
just got fuckkkeddd lmao
1553088271
I had, but the scammer unfriended me once I lied to him that Im banned from marketplace and tf2deals is blocked in my network, lol.
1552971691
anybody had this happen from a site called tf2deals.com?
1551975667
Both of this people are scamming with this method, i've lost 1 unusual worth 32 usd + 50 usd steam card + 1 earbud
1551975639
pls report this steam and also https://steamcommunity.com/id/OldRegret322
1551974931
https://steamcommunity.com/profiles/76561198874916532
1551974926
GOT SCAMMED BY THIS MOFO, PRETENDING HE WAS SOMEONE FROM MARKETPLACE
Does anyone got scammed by guy called Li Xing ? :) He scammed me for my Holy Grail Buy a Life taunt.
Does anyone got scammed by guy called Li Xing ? :) He scammed me for my Holy Grail Buy a Life taunt.
@LoliWankerDX "4 keys"? I paid $600 for the lesson " if it is a legitimate Steam login page, you will not be asked for your username / password; it will simply be a "Sign In" button." and to not do a trade more than just a normal trade.
1551418381
A very good way of preventing this is to restrict trade offers for 10 minutes after changing your name.
1551279240
welp those are the last 4 keys I'll ever lose (hopefully)
1551115038
thanks life
1551115029
got scammed out of 40 keys
fuck my butt
Just got scammed out of 5 keys
1550972729
same fate
i was none the wiser of this scam and my one unusual is gone now rip me
Riv:
1550496943
I got scammed by this method yesterday... Lost a 1 of 1 unusual worth around 250$. Best method of scamming I have ever seen.
1550454280
Anyone get scammed by a guy named Lin?
Ham:
1550439814
coolio
1550263558
No
1550254777
is there any way to get the item back?
1549982495
daaaang that's bad :(
1549923122
Just got scammed 5 keys :/
1549419484
i got scammed by this and lost two unusuals, welp there goes my hecking soul
Bags:
1549102429
Just got scammed by this, lost 6.82 keys. I also wish I read this sooner...
1549055708
Welp, wish i read this sooner
1548974424
i think i got scammed by this method
1548099103
if a website asks for Steam guard code IT IS FAKE. ONLY STEAM CAN USE THE CODE. if you enter the code a bot logins to steam immediately with your account