Scam going around on Steam

Pages

Hey, I just got a Steam IM from a GWJer who was on my Steam friends list (that I PM'ed directly here) asking for me to vote for their team. I replied to them saying nice try. They then apparently either blocked me or unfriended me. I read a post on QT3 with this going around as well. Just wanted to give you all a heads up and make sure your Steam accounts are protected.

I just got one too. If anyone knows Stylez outside of GWJ, let him know his steam account's been compromised.

Hey all,

Yeah my account got compromised last night. I received a steam message from Lothar asking to support his friend's amateur league ESEA team. I went to the site and it looked fairly legit, it asked for a steam login via api, but the API confirmed it was for profile access only. I went ahead with it.

3 hours later $400 was cleaned out of my account via the api. I had no idea the API had access to steam marketplace or purchasing at all. The scammer put 5 35 cent CS GO skins up for ~$80 and purchased them through my account.

I opened a support ticket and I got a template response I'll post at the bottom. The TLDR is that "too bad, all marketplace transfers are final, because it can cause confusion on the Seller's account". I stated that this is nuts because the seller's account was clearly a scam account, L1 with only free games in the inventory.

I'm still waiting to hear back, but that money was for Cyberpunk for myself and Baldur's gate gifts for a few out of work friends due to COVID. I'm heartbroken and beyond frustrated, every time I think about it I get mad, and I'm thinking about it every 3 minutes or so.

I'm really sorry for anyone who may be compromised due to this, and if anyone is in touch with Lothar let him know too!

Support text below:

Hello,

Unfortunately, all Community Market transactions are final and cannot be reversed or refunded. When an item is purchased from the Community Market, the cost is sent from the buyer's Steam wallet to the seller's. Reversing these purchases would mean we have to take funds out of the seller's wallet, creating confusion and possible purchasing issues across Steam.

I'm sorry we can't be of more help with this, but we don't reverse or refund Community Market purchases and sales.

Additional information can be found on our Community Market article.

We suggest that you do the following to protect your account:

1) Scan your computer for viruses, key loggers, spyware, and other malicious code with a virus scan utility that has the most recent virus definitions.

2) Change your password for the e-mail account you are using to contact Support.

Thanks for using Steam,
Gabriella

I'm glad whispa posted this because I read it about 30 minutes before getting the message from Stylez compromised account.

That's rough Stylez, hopefully you can get the money back somehow.

I got one of those messages last night too, but there were a lot of red flags so I assumed it was a scam.

Yeah I'm really sorry folks. It was a boneheaded moment but in my defense I had NO IDEA the SteamAPI allowed purchases. I'd have never logged in in the first place if I knew that, and I've since revoked all third party access and changed my API key.

I'm crushed and I don't think Steam Support is going to help me out.

I think 2FA would have helped you here.

I think if you have it enabled, every community market transaction needs to be approved via the mobile app

Hey Jonman,

Nope. I have 2fa enabled. It never asked for MFA for the purchases, and I never got notification of a sketchy login.

The compromise was strictly through the API.

I should be clear though, it wasn't items being taken from my account (Which do send an MFA request), but purchases using my existing steam wallet (which haven't).

Ugh I'm sorry to hear that Stylez. Let's hope it works out OK for you.

Glad I was able to help a few others though.

Stylez wrote:

Hey Jonman,

Nope. I have 2fa enabled. It never asked for MFA for the purchases, and I never got notification of a sketchy login.

The compromise was strictly through the API.

I should be clear though, it wasn't items being taken from my account (Which do send an MFA request), but purchases using my existing steam wallet (which haven't).

Ah, gotcha. That double-sucks, dude.

I'm honestly floored that completely refusing to help is Steam's default response. They're basically inviting every scammer out there to infiltrate their system.
Can you imagine the hell that'd be raised if Epic A) set their system up so badly that their customers could get scammed that way and then B) refused to do anything at all to fix it? I guess the lesson here is that you should never keep a balance in your steam wallet.

Yikes. Thanks for the warning. Got a couple hundred friends from here, hopefully it doesn't spread.

What a sh*t show. So sorry to hear that.

Stengah wrote:

I'm honestly floored that completely refusing to help is Steam's default response. They're basically inviting every scammer out there to infiltrate their system.
Can you imagine the hell that'd be raised if Epic A) set their system up so badly that their customers could get scammed that way and then B) refused to do anything at all to fix it? I guess the lesson here is that you should never keep a balance in your steam wallet.

It's shocking to me too. It is way worse than I expected. There's no recourse and no punishment for the scamming account. I'm reporting it to the RCMP fraud department today. Valve controls the items, accounts, and wallets, I have no idea why this is allowed to happen and for peace of mind I need to understand it. Every 5 minutes I catch myself thinking about it.

They can't keep their cut of every fraudulent transaction if they reverse them.

Stengah wrote:

I guess the lesson here is that you should never keep a balance in your steam wallet.

This should be a PSA.

I had nearly bought my copy of Cyberpunk and 2 gift copies of BG3 that night too. That's what I keep thinking back to more than anything. They were in my cart and everything. Argh.

Hey Folks, quick update for those that are interested. After keeping the pressure up I finally got a response that was a human, and they reviewed and immediately restored the funds.

Some faith in the process restored, but it shouldn't have taken back and forth for 2 days before getting to that point.

Stylez wrote:

Hey Folks, quick update for those that are interested. After keeping the pressure up I finally got a response that was a human, and they reviewed and immediately restored the funds.

Some faith in the process restored, but it shouldn't have taken back and forth for 2 days before getting to that point.

Great news. A few hundred bucks to valve isn't anything big. A PR nightmare could have been. Glad they did the right thing. Enjoy those games and gifts.

I am glad Steam came through in the end. I would be really mad too, especially since it isn't clear that a third party can use API calls to make purchases against your wallet.

Thanks whispa for posting the heads up.

Stylez wrote:

Hey Folks, quick update for those that are interested. After keeping the pressure up I finally got a response that was a human, and they reviewed and immediately restored the funds.

Some faith in the process restored, but it shouldn't have taken back and forth for 2 days before getting to that point.

That is AMAZING to hear. I was not prepared for the roller coaster when I clicked on this thread.

Great news wrapped up in a poopy deal. So glad to hear that Valve rectified things in the end. Scary knowing, now, that marketplace purchases can be made via the API.

Thanks for the update Stylez.

Yep my lesson from this is don't trust any third parties with the API key. Frankly there could have been a lot more damage done I think. Again apologies to anyone who got messages from me, I'm still reaching out to all those that were contacted through my account.

Got another scam message from Taer this time. Sent him a PM, but if anyone knows a better way to contact them, please do it.

Stengah wrote:

Got another scam message from Taer this time. Sent him a PM, but if anyone knows a better way to contact them, please do it.

I just got one from him too.

Yeah. It tripped me out, cause it looked to be against their "oauth" api. And I had 2FA in place. It really looked exactly like every other "login with FOO" type service. Well done mr hacker, well done.

I had no money in my account. All it did was seemingly spam people, block their responses, and try to infect them. I've change phones by accident just today(new phone, new SteamGuard setup). I changed PW, and deleted my "API key" https://steamcommunity.com/dev/apikey which we registered to "localhost"

Finally, I renamed in steam to taer-DONT-VOTE-FOR-TRYHARD

edit: Thanks for the heads up everyone!

Yeah that's the super sneaky thing. The 2FA is totally useless when the third party has API access that can message your friends, and buy stuff through your account.

Honestly was impressed at how slick it was, and how much access the API actually has.

Really glad to hear that you got your money back. With as much money as I'm sure moves through Steam, it feels like their fraud response ought to be much better -- like a bank's or a credit card's, honestly.

This is now happening with sithload [gwj].

If anyone knows him, please let him know.

Yeah I just got a message from Sithload as well and it wanted me to sign in with Steam and I quickly realized this was super sketchy. No way was I going to login into another site using my steam ID.

If I clicked the link but didn't sign in would I still be vulnerable? Or Should I be OK?

Same here. I just messaged him. Told the guy I knew it was a scam and to take off.

Pages