PSA: Your Steam account may be at risk

April 8th 2018

In the past few weeks, we have seen a growing number of users lose their items to a sophisticated new attack designed to bypass the Steam Mobile Authenticator. What's worse, the attack makes it appear as if legitimate traders and services have scammed users, when in fact these legitimate traders never received any trades at all.

Here's how the attack works:

  1. The attacker manages to get the victim to enter their Steam username and password on a phishing website; additionally, they gain a single login code as part of the phish. Although they can now login and control your account, they do not have the ability to confirm trades.
  2. Sometime after gaining access to your account, the attacker poses as a trade asking the victim to trade their items to a trade service, such as Marketplace.tf. The user is instructed to click the deposit link directly from Marketplace.tf, which leads them to the trade offer page of a legitimate Marketplace.tf bot. The user sends a trade offer depositing their items to a real Marketplace.tf bot. Nobody has been scammed yet.
  3. As soon as the user sends the trade offer to the real bot, the attackers cancel the trade offer (remember, they have access to the victim's account, just not their mobile authenticator app) and send an identical trade offer to a different account that looks exactly like the intended recipient.
  4. By the time the victim has loaded their Steam Mobile Authenticator confirmations page, the trade offers will already have been swapped. They will see a confirmation for a trade that looks exactly like the one they sent to the real recipient -- but it's the fake one. They confirm it, and their items are never seen again.

It's important to note that this process can be done for any trade offer your account sends after being hijacked -- any time you send an item to someone else, they could swap the trade offers and you would be none the wiser. 

Therefore, if your account has been hijacked, simply avoiding trading with bots or suspicious individuals is not adequate protection. Phishing sites can be extremely convincing and anyone can fall victim to them. After being hijacked, any trade offer you send can be hijacked.

What to Do

Don't worry: there are simple ways to protect yourself.

  • Change your password. This will force their current login session on your account to be terminated. They will lose access to your account, and you will be safe. Even if you don't think you've been hijacked you should consider changing your password. Additionally, changing your password does not give you a temporary trade suspension, as many believe; rather, resetting your password through the "forgot password" menu temporarily suspends you from trading on Steam. Properly changing your password has no penalty.
  • Revoke API Keys. Many times, the account hijackers will set up an API key on your account in order to efficiently control it. Click here to see if your account has an API key registered to it. If so, you should probably revoke it. Unless you specifically remember setting up your API key for a specific task, you do not need one. Even if you do need one, the attackers have almost definitely stolen it, so you should generate a new one to ensure they cannot use  it.
  • Avoid Phishing Websites. I know, easier said than done. That said, there's one way to be 100% safe with Steam logins: whenever a webpage asks for your Steam account credentials, visit the official Steam website in a new tab, and log into it. Then go back to the other website and try logging in through Steam; if it is a legitimate Steam login page, you will not be asked for your username / password; it will simply be a "Sign In" button. This is because you will have already logged into the official Steam website. If it asks for a username or password, you should not log into the website.

It's important to note that it is very difficult to know if your account has been hijacked. If you find your account has an API key attached to it (as mentioned above), and you don't remember setting it up, it's very possible your account has been compromised. Changing your password and revoking your API key will restore your account's security.