Steam and mirrors: How gamers get duped

Gut-wrenching stories of in-game cheating told by actual participants.

Victims of gaming scams share their stories of account hijacking, item fraud, and other nasty stuff to help you learn from their mistakes

People learn more from their mistakes than from cautionary tales of scam and fraud, so, for today’s security postmortem, we collected edifying tales from real-life gamers. Here are four from victims and one from a perpetrator.

Gift fraud

Mikhail Mad_Bucket, 23, translator:

“About seven years ago, something pretty interesting happened to me on Steam — technically a scam, but not really. In Team Fortress 2, there were these weapons that counted kills, and I wanted to sell a dropped crossbow that had this gizmo. Then a stranger on Steam offered to trade it for the game Eets.

‘Wow, a game for a weapon!’ I thought. We exchanged, I installed Eets, and everything seemed OK. But then I went to this guy’s profile, and there in caps it said: ‘GUYS, FREE EETS FOR WHOEVER WANTS IT.’ It turned out that some site was handing out keys for the game just like that, as many copies as you liked.”

Moral: If you are offered a free or very cheap game, go to the developer’s or publisher’s official website and see if it mentions the promotion. If it does, buy or download the game there — no need to take unnecessary risks. Our hero was very lucky that, in exchange for the weapon, he got a real copy of the (free) game, and not an army of Trojans or a fake key.

If your goal is to avoid paying for computer games, check out our guide to no-risk free gaming.

Malicious apps and account hijacking

Anonymous, 17:

“I’ve had two run-ins with scammers. The first time, I found a program supposedly for boosting items in CS:GO, which imitated the Steam login screen. I was 10, I didn’t really know what I was doing. I entered my details, they leaked, my account was almost stolen.

Back then, accounts with items got hijacked really quickly. Then, in a different account, I started crafting stuff in CS:GO. I got an AWP Redline and a M4A4 Asiimov in about two hours, as I recall. Just 20 minutes later the account was stolen, and the items got gifted away. I don’t know how it happened — maybe they hijacked a database somewhere. Btw, tech support still hasn’t returned that account. To be honest, I remember those times with horror — login without 2FA and poor-to-average Steam support.”

Moral 1: It’s not safe to enter credentials in third-party services, especially if they promise mountains of gold or illegal benefits such as a rating boost — you risk having your account hijacked. Avoid installing dubious apps as well; what looks like cheats and bots may really be malware.

Better still, use a security solution that stops malicious apps in their tracks, blocks fake sites, and wards off other evils.

Moral 2: Creating a strong and unique password for each service you use is critical. Make each one strong, so it can’t be brute-forced, and make it unique so that in case of a leak, your other accounts won’t be lost. If coming up with and remembering key phrases is problematic for you, use a password manager to securely store your passwords and automatically enter them for account login as needed.

For more protection, enable two-factor authentication. That way, to log in to your account, you (or anyone else) will need not only the password, but also a one-time code, making it harder to hijack. See our posts on how to activate this and other security features in Steam, Origin, Battle.net and Twitch.

Social engineering: A cybercriminal’s tale

Alexander, 28, SAP programmer:

“Back in the early days of Lineage II, some friends of a gullible classmate of mine decided to initiate him in the ways of this MMORPG. They created an account for him and poured in a lot of money (at least by high-school standards). They bought him D-grade gear [better than standard — ed. ] and secretly completed first class transfer quest. As a guy always looking to profit at someone else’s expense, I offered to help him with the second transfer.

He was clueless about the game but itching to get hooked. After class, I went to his house and, pretending to do a class transfer quest, killed a couple of skeletons and chatted with a guard. In an important-sounding voice, I told him that the job was done and asked for his ‘outdated gear’ as token payment. He happily handed it over. We bought him a wooden sword in return, and I left with a feeling of accomplishment.”

Moral: If someone offers to do something for you, make sure you fully understand what it is and whether you really need it. Find out the price right away — it may not be worth it. And never let gaming pros into your computer or account — even if they are “friends.” Although the narrator of this tale showed some restraint, you can’t count on a real scammer to spare victims.

Account hijacking with TeamViewer

Anonymous, 20, student:

“Back when I was a kid playing Counter-Strike: Source, I found this 35hp server where there was this dude in an Iron Man skin. His ragdoll made these cool metallic sounds upon dying. You could say I was impressed. I asked in the general chat how to get this type of skin, and the server admin said the model was only for admins, but just this once I could have it free.

He activated the skin for me on the server, and everything seemed fine, but then he wrote that the model had to be activated on Steam so it wouldn’t disappear. At his suggestion, I installed TeamViewer and gave him access to my computer. He connected, opened Notepad right on my desktop and wrote what to do there. To cut a short story even shorter: I gave him my account details, he logged in supposedly to activate the skin, and that’s how I lost my first Steam account.”

Moral: Installing third-party software, let alone handing over control of your computer to a stranger, is a big risk. As for giving out your account username and password, don’t do it, even if you’re promised a cool feature or a fix for a serious issue, as tech-support scammers do. If you need help from a tech-savvy friend, let them explain verbally how to solve the problem.

The world’s shortest tragedy

Hermit Purple, 18, professional commenter in VKontakte communities:

“I was playing Digger Online, logged in to the server. The admins said: item or ban. I bought them an item, but they banned me anyway.”

Moral: No moral here; we can only sympathize.

Midori Kuma commiserates with gamer victims

Midori Kuma commiserates with gamer victims

How to guard against gaming scams

Gamers who want to keep their money, gear, and accounts need to:

  • Protect game accounts with strong and unique passwords, and don’t forget to enable two-factor authentication. Here’s how to set up accounts in Steam, Origin, Battle.net and Twitch.
  • Double-check deals and offers, looking at seller (or buyer) profiles, reading reviews, and studying vendor websites. It’s better to lose half an hour than all your money.
  • Take your time entering account credentials. First, make sure you are using the official site or app. Type in the address manually if possible, and make sure there are no typos in the name of the site you are visiting. Don’t rely on familiar page layouts for quick visual confirmation; they are easily copied.
  • Reject additional programs. If a friend or acquaintance (or an online stranger!) asks you to install anything — especially a remote access tool such as TeamViewer — forget about it. If they’re helping you with a problem, have them explain the solution so you can do it for yourself.
  • Never disable your antivirus when playing. Many modern security solutions, such as Kaspersky Premium, include a gaming mode that goes light on resources and does not interfere with game play.
Tips