Anatomy of Current Phishing Attacks
As the Leading Skin Market of Steam Items, We want to draw attention to the current phishing attacks targeting all websites that use Steam OpenID for sign-in.
Phishing Attack Process
- You are asked to visit a phishing site or click on a phishing ad on Google.
- You click on "Sign in with Steam."
- A new frame, popup, or tab opens, but it does not display the "steamcommunity.com" or "Valve Corp [US]" SSL indicator in the navigation bar. It is a replicated page to log all information entered in the login/password fields.
- You enter your login credentials and the Steam Mobile Guard Code. However, this information is not sent to steamcommunity.com but to the scammer.
- The attacker logs into your Steam account using your provided information until the mobile guard code expires (approximately 60 seconds). They can access and perform actions on your behalf on Steam, except for confirming trades.
- The attacker sends you a trade request with the items you send. They immediately cancel the trade and send you another request with the same information.
- You confirm the trade, thinking it is legitimate. However, you have just sent your items to the attacker, and they can repeat this process as long as they have access to your Steam profile.
To avoid falling victim to this phishing attack, do not click on strangers' links or ads on Google searches. Always verify that you are on the correct website's URL. Look for an Extended Validation SSL certificate that shows the company's name in green in the navigation bar. For example, when visiting bitskins.com on non-mobile browsers, you will see "BitSkins, Inc. [US]" in the navigation bar, indicating that you are on the legitimate BitSkins website.
To protect your trades, ask the sender of the trade for unreplicable information, such as the Steam Join Date of their profile. Ensure you are trading with the entity you expected with the same Steam Join Date. BitSkins, Inc. displays this information to assist you. Always use Two-Factor Authentication (Enable 2FA on BitSkins) or Secure Access on any website where you can log in via Steam OpenID.
Report phishing websites and help the community!
When you find a phishing site, you can help prevent others from becoming victims instead of simply ignoring it. Most registrars (i.e., GoDaddy, web.com) have a maximum of 24h turnaround times on reports against their domains.
- Perform a "whois" search on the URL. For example, use this website for metjm: https://www.whois.com/whois/metjm.net
- Check the Registrar, which could be NameCheap, 1&1, GoDaddy, or others.
- Either:
- Type into Google "<Registrar name> report abuse". For example, GoDaddy gives you a breakdown of all abuse types and actions
- Email them or call them using the "Registrar Abuse Contact Email" and "Registrar Abuse Contact Phone" fields with details of the offending site; OR
4. Give details of the site. In this case:
The site is pretending to be http://steamcommunity.com/login.
5. Link the whois information when you do this.
Done. Reporting a phishing site can take less than 2 minutes. Help protect the Steam community by acting against these scams instead of just leaving the scam website.