I like to think that I have pretty decent cybersecurity practices. I use MFA or 2FA on everything I can, passkeys on every service that supports them, have authenticators set up for Blizzard, Microsoft, Steam, and other accounts, but I still got hacked on Steam. Or more precisely, I got phished on Steam, sent to a fake Counter-Strike 2 event page, and tricked into putting in what I thought were Steam OpenID login details. Except, of course, they weren’t.
Or maybe they were. I do remember a notification on Steam Guard, but again, I thought it was a legit Steam OpenID page, and nothing on the page gave me any indication it wasn’t. It was in a normal browser window, not a Steam Browser. It had the usual Sign in with Steam button, and I don’t even remember putting my password or username in, because it’s the browser I always use for Steam purchases, so it already had login session cookies.
Don’t sign in to Steam on third-party sites, whether to check your Steam Spend, Time To Beat, vote on eSports tournaments, or for any other purpose. And no, those DMs about $50 Steam Gift Cards aren’t real either. Sorry.
Thinking about it now, it might have only been session cookies that got hijacked, as the hackers messaged most of my friends list before I managed to get control back from Steam Support, but didn’t seem to be able to change any settings like email or password, or remove Steam Guard. I got lucky in that respect, as there was no money or skins in my account to be transferred out, but I do have 1,300 games or so and DLC, adding up to a horrendous total amount of value.
Here’s what happened, so you know what to look for, and how realistic those phishing sites are.
Related
Mac users beware—this Windows phishing scam is coming for you
You really thought you were safe, huh?
All it took was a couple of clicks
The phish looked so real, and it even seemed to use Steam’s OpenID login
It was the beginning of January 2024, and I was probably nursing a hangover from New Year’s Eve when I got a message on Steam from an old friend. They wanted me to vote for their friends in a CS2 tournament so they’d have a chance of winning a prize or something like that. I didn’t think much of it at the time; we were always asking each other to click on stuff to win prizes, but I feel differently now.
I clicked through, clicked on my OpenID login button, and must have tapped on Steam Guard on my phone because every sign-in for Steam gets authenticated that way. I was slightly confused when the tournament voting page didn’t work as it should have, but I assumed it was either AdBlock or the Eero security settings, didn’t think much about it, and went to bed.
In the morning, I woke to many messages from friends on Steam who had contacted me on other social media to ask if it was me. It wasn’t, so I panicked for a minute and went off to Steam Support to get things fixed. This scam is so prevalent that Steam has a dedicated support page for it, but I wouldn’t have looked for it before clicking on a link from a trusted friend.
And that’s exactly how these things work: They get one account compromised, then use it to send messages to other accounts, and because of the circle of trust, they get more clicks every time. You wouldn’t click on a message from someone you’ve never spoken to, but one from a friend you play multiplayer games with every week? Sure, without thinking about it.
Related
4 reasons you should use 2FA apps over SMS-based authentication
2FA over SMS isn’t just unreliable, it’s also a security risk.
Thankfully, Steam has a recovery process
With a few more clicks and an email from Valve, I got access back again
Thankfully, Valve has an incredible amount of security and provisions for recovering accounts if they get taken over like this. I’ve had a harder time getting money back from the fraud department in my bank than I had with getting my Steam Account back. After a few minutes of clicking through options and answering questions, I had an email in my inbox with a link to change my Steam password and sign out of every device I was signed in to.
It’s very difficult for anyone actually to lock you out of your Steam account, and Valve has a vast amount of your personal information to verify against for recovery purposes. Head to Steam Support, click on the My Steam Account was stolen and I need help recovering it and follow the questions.
That past part is essential, because if the scammer still has session cookies, they can send messages pretending to be you, and then the scam is ongoing while you think you’ve recovered your account. I’m not sure how long those last before expiring, but the only surefire way is to log out of every device when you change your password.
Related
How to turn an old USB drive into the ultimate recovery tool for (almost) any PC
With Ventoy, you can create a powerful cross-platform recovery tool.
Remember, I still had Steam Guard enabled at all times
Using Steam OpenID for the phish was a masterstroke of deception
I still had Steam Guard set up, with 2FA authentication done by the Steam app on my smartphone, and my password hadn’t been changed. I got lucky, in other words, and I didn’t have any skins or Steam Wallet funds to drain, so the scammers just sent a whole bunch of messages to my friends list to try and find a juicier target. They know that Valve makes it easy for the owner to recover their account, and they don’t want your games, just anything they can transfer out.
My only real mistake was to click on something sent via a Steam message. I should have known, really, as we usually use voice chat or Discord for anything, but it was someone I talk to all the time, and getting links or memes from them wasn’t out of the ordinary. Other than not clicking links, I’d say don’t keep a Wallet balance if you can help it, because that will get drained, and Valve can’t reverse transactions on the Community Market, which is how the scammers get your funds away from you.
Related
This hidden-away Steam page tells you how much you spent on it, and boy do I have regrets
Those digits are way too high.
Phishing scams are on the rise and look like legit websites
I’ve always been on the lookout for phishing attempts, report any suspect emails before sending them to spam, and I still got phished. That’s not to say I got stupid or sloppy, although there’s an aspect of that. The point is that it could happen to anyone, and if the message comes from a trusted friend, it’s even harder to not see the scam in action.
Even with MFA enabled, a long unique password, and a suspicious mind, I still fell victim. The good news is that it’s easy to get a hijacked Steam account back, and Valve guards its customers well in this regards, as they want you to spend more cash with them on new games.
#Steam #account #phished #heres
source: https://www.xda-developers.com/steam-account-phished-heres-how-get-it-back/
