Steam users, don’t be tempted

April 30, 2018

Anyone who has dabbled in gaming probably knows about the largest online computer game store in the world. Actually, Steam is more than a store. It hosts a vast community of gamers discussing the hottest releases, provides a trading platform for in-game items, posts reviews of games, and offers much more.

Naturally, such a huge resource and its millions of users make Steam irresistible to hackers. We’ve already posted about Trojans designed specifically to steal Steam accounts, and about the most common gaming scams, but new attack methods are appearing all the time. So this post will focus on another batch of tricks that scammers use to hook gamers in the hope of scooping up a pile of their cash or data.

Free or inexpensive game keys

Computer games don’t come cheap, so nearly everyone warmly welcomes a good deal when they see one. If the game you’re after isn’t part of an official sale, you’ll likely find an offer to buy a key for it at half-price pretty tempting.

The Internet is crawling with stores offering keys. But buying a key from a third party is a stab in the dark — it’s impossible to know in advance if it works. You simply have to trust the seller.

In pursuit of a new game and a nice-looking price, users often forget about basic security and purchase keys on very dubious sites. As a result, they might end up with a used key and an empty wallet.

Key lotteries

Fake stores are fairly easy for most gamers to spot, so scammers looking to grift as many players as possible have turned to some classic schemes that, although not entirely fraudulent, can’t exactly be called honest. “Try your luck and win a random key” — sites with such slogans are becoming increasingly common.

A random key game is a kind of lottery involving the purchase of an unknown product at a certain price. Having spent, say, three bucks on such a key, the user is entered into a drawing with a top prize worth $50 or thereabouts — and other prizes worth far less, say a dollar or two.

It’s not necessarily a scam — everything seemingly depends on Lady Luck. However, the algorithm behind the giveaways is not revealed, which means that players might face any odds at all, and they’re certainly likely to “win” a game key worth less than the original sum paid. Better luck next time, eh?

Before taking the plunge, level-headed gamers might ask themselves why they actually need a random game. Even if a miracle occurs and they win a high-value title, there’s no guarantee they’ll like it. There are all kinds of games out there — strategy fans, for example, are unlikely to be thrilled with the latest installment of a dating simulator.

An account with 100 games for the price of 3

Another way to get games for less than the Steam price is to buy someone else’s account. They are often sold by the same shady stores that peddle cheap keys. Why is there a market for such wares? The attraction lies in getting a ready profile with discounted games and in-game items.

Signing in to an account using a freshly purchased login and password, the buyer becomes the proud owner of not only the game content and items, but also the previous owner’s achievements. There’s no shortage of gamers looking for such shortcuts.

Buying an account seems like a win-win. However, the likelihood is high that a resold account was stolen, so we have to note two points. First, the simple probability that such accounts are stolen should be a turn-off for the ethically minded. Second, there is a fairly good chance that the original owner will try to regain control of their profile, in which case the buyer will be left empty-handed (the seller probably didn’t offer a money-back guarantee).

Free, cool gear

Stolen Steam accounts don’t grow on trees; before they can be sold, someone has to steal them. The most common method is good old phishing. Here’s roughly how it goes.

You receive a link with a tempting offer involving Steam (free in-game items, an interesting exchange offer, or something like that). The link could be sent in a personal message, or you might see it in the comments on a game review or in a social media post, or somewhere else.

Clicking on that link takes the user to what looks like the official Steam page, where they are prompted to enter their account login and password. In anticipation of a great deal, the user enters everything without glancing at the address in the URL. The official domain is https://steamcommunity.com, so scammers register very similar domains, such as:

  • steam.stearncommunity.click
  • steamcammunitty.com
  • steamcammunity.ml
  • steamcamrnunitty.com
  • steamcommmunnity.ml

The data entered flows right to the perpetrators, so they gain access to the account and the legitimate user loses it.

An app with useful — very useful — features

Schemes involving apps that promise to improve your account security, add features, or, say, ruin another Steam user’s reputation operate along similar lines. Such apps are numerous, but they should not be trusted without question: They steal data.

The difference is that, unlike phishing sites, apps can request additional device permissions. Carelessly handed over, those permissions can lead to the theft of something even juicier than Steam credentials. In the context of Steam, there is just one app that should be of interest to all: Steam Guard, which provides two-factor authentication.

How to stay protected against Steam fraud

For starters, it helps to be aware of the scams. However, even the best of us can still be fooled, so here are a few more tips that will help you avoid losing money or access to your account:

  • Remember that too-good-to-be-true prices are probably just that.
  • Never click on links from unknown senders. If the link was sent by someone you know, get in touch to find out what it is and why they sent it.
  • Buy things only on official sites or in very large, well-known stores.
  • Always be careful when entering personal information on any site — be sure to check every single character in the URL.
  • Install two-factor authentication for Steam to improve your chances of retaining access to your account even if you accidentally let slip your login and password somewhere.
  • Use good protection for both your computer and your smartphone — and update the databases regularly. The antivirus will protect you from downloading malware, and the antiphishing component from visiting scam webpages. But even with a reliable security solution, it pays to stay sharp.