Newly discovered phishing scam on Steam

Reading time icon 3 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Key notes

  • While trying to help out a fellow gamer, a Steam user discovered a new phishing method.
  • The scheme was engineered to take over accounts, by gathering user confidential data.
  • If caught in this trap, 2FA would actually help the attackers instead of securing your account.
  • The phishing trick was cleverly disguised as a simple Steam OAuth login prompt.
Steam Phishing method

By reading about other people’s mistakes and by sometimes learning the hard way, we are all aware that the internet is not exactly the safest place.

One simple click can cause major leaks and losses if we don’t keep our eyes wide open. Being smart is being safe in this ever-growing online world, so avoid all suspicious sites and offers you might come accross,

New phishing scheme discovered via Steam

According to the Reddit post submitted today by one of the users, a simple action that he was asked to perform on Steam for a fellow gamer, almost resulted in him losing his account.

Trying not to arouse any suspicions, the innocent request urged the user to just vote for a gaming team. When trying to do so though, what he discovered was a bigger surprise than he expected.

However, in order to perform this action, you have to use Steam OAuth to log in, which is pretty much a common thing among verified websites.

The trick was that, after you clicked on Sign in via Steam, another virtual popup window would open inside the original tab.

This gives most users the impression that they are using the correct steam URL and that it’s completely safe to input the credentials.

Because the Valve corporation name and icon, as well as other elements of the original website’s UI are present, it becomes easier to trick the unsuspecting into providing personal information.

What surprised me was the quality of trick!

2FA data sent to the attackers

The post author on Reddit continues to explain that, in case anyone went through with this sign up process, the loss of the Steam account would be almost a certain thing.

If users had the 2FA option enabled, actually inputting the security code that they received on their phone, could lead to total account takeover, as they would have all the information they need.

Although the Steam platform isn’t commonly used to perform such schemes, its not uncommon. Malicious third parties will never stop concocting new ways to trick you out of your possesions.

So, what we can learn from this situation is that we should never provide our personal information to any suspicious or unverified websites.

Using the latest antivirus software can save us the trouble of having to restore potential damage caused by all sorts of malintent, or try and recuperate lost data.

Always make sure to keep track of where you choose to make such precious information available, in order to avoid data loss or other leaks.

Remember that not everything on the internet is what it seems and that staying protected should be our number one priority, regardless.

Have you ever been a victim of phishing? Tell us all about it in the comments section below.

User forum

0 messages