API SCAM - What you should know and how to stay safe
The "Steam web API key" fraud is currently the most popular scam technique. We regrettably receive daily tickets from users who have lost skins as a result of this fraud.
In this article, we'll explain how this technique works and offer advice on how to keep your skin safe.
There is a sneaky method going around where users are exploited by phishing websites with a false "Login with Steam" option. These websites frequently surface in search engine results and mimic the visual style of well-known services. You will be quickly routed to a fake "Steam login" page after clicking that button unknowingly. On this page, your login information, password, and even your 2FA code are requested.
Some very common methods of phishing links are
- You win a free item and must claim it by logging into a dodgy website.
- You are asked to send full details/price evaluation and must log in to the dodgy website.
- You are asked to compete in a small tournament hosted by a dodgy website and must login.
- You are asked to help someone by voting for their submission (such as artwork), in some sort of competition and must log in to vote.
- You are given are given an incorrect 'steamcommunity' link which you are required to login to. Note that the ' https://steamcommunity.com ' domain is protected, however, scammers may use steamcommunility etc.
This information is used by the hacker's malware to sign into your Steam account and create a Steam Web API key on a particular page (https://steamcommunity.com/dev/apikey). This API key enables the script to track all of your trade offers. If a trade offer contains valuable skins, the con artist cancels it and offers you a nearly identical offer from their own account instead.
The following guidelines must be followed in order to protect your skin:
- To reach a service you already know about, avoid utilizing search engines. On the outcomes from the "advertising" area, do not rely. Use direct addresses in its place, like bitskins.com
- NEVER use the "Login with Steam" option when entering your Steam login details. Instead, ensure that your Steam session is open and log in using the "Sign In" option on the Steam website.
Open the official website (https://steamcommunity.com) and log in there if you are requested for your login information.
- A direct link to the prepared trade offer will be provided to you when you request a trade offer on BitSkins (or any other reliable provider). The trade offer must always be accepted using this URL.
- Also, do short and easy checks. With every trading offer, we attach the BS Trade Token. For your trading safety, remember to check if the bot is in the Steam Group - ALL our bots are part of the Steam Group: BitSkins, Inc: Bots (https://steamcommunity.com/groups/bitskinsbots)
By following these suggestions, you may protect your skin against fraudsters and dishonest activities.
Other ways to secure your account from scammers
Steam Guard Mobile Authenticator should be the absolute minimum level of security for all users. An outline of what it does and how it can help you are displayed below. In addition, Steam's Family View is a very useful feature that requires a pin to access specific sections of your Steam account.
An important note is you should never share your email and phone number, as these can be used to recover your account, as well as hijack it.
Steam Guard Mobile Authenticator
https://store.steampowered.com/twofactor/manage
Enabled in the Steam mobile app, that allows you to confirm trades instantly, and removes the 7-day/15-day trade hold when sending items (after having it enabled for 7 days).
Steam Family View
https://store.steampowered.com/parental/set
An additional security method that requires a pin to access specific parts of your Steam account (which you choose - for example; specific games, 'Steam store', 'Community-generated content', 'Friends, chat and groups' and 'My online profile, screenshots and achievements').
- Enabled via the Steam browser. The options you select are what you can access without entering the pin. It is a good idea to only tick 'Friends, chat and groups' for the Online content & features section.
- Note that the 'Community-generated content' includes modifying the API key and the Steam Market access. You also cannot send trade offers via the use of an API key if the ''My online profile, screenshots, and achievements' option is not ticked.
- Whenever you relog into Steam or relaunch Steam app, you will need to re-enter the pin to access the family view locked content.
The skins that have been taken from you cannot, regrettably, be returned. To the relevant channels, you should report the scammer's Steam account. Although it's likely that this will lead to the account being banned, it won't go back and undo any trades or transactions that have already been made.
Take the following actions to protect your own account:
- Change your Steam password right away. (https://help.steampowered.com/en/wizard/HelpChangePassword?redir=store/account/)
- To revoke your current Steam web API key, go to https://steamcommunity.com/dev/apikey and select "Revoke".
- Change your Steam Trade URL (https://steamcommunity.com/my/tradeoffers/privacy), which is a unique link used for trading items. Update your Trade URL at BitSkins or/and other platforms comparable to it.
Thanks to Guardy__ for helping with the article.