Well, where do I start? I don't really know where to start, so I will start with saying: I really don't know how I fell for this, but in the interest of defending myself after this stupidity, I will say that I was really tired, really emotional and I was terrified. This post is to share my experience of a Steam Scam in the hope that someone else can avoid it. I am keeping a logical approach to this despite extreme emotions (rage, is quite prominent) so here you go.
The scam went like this, I will provide a break down and analysis of where I made critical errors in judgement.
Stage 1:
The attack vector was via a Steam Friend who's account was almost certainly also hijacked. This provided the element of trust that pushed me to take it seriously from the get-go.
They provided a Discord Account link to chat with this supposed "admin" to fix the issue. The first warning sign here is Steam DO NOT use Discord (or even Steam Chat) to sort out account issues. I failed miserably in verifying this, because I fell for the trust of my friend. That was a very dire mistake.
The account in question was made to seem like it was an Administrator, from the video above you can see they went to some effort to falsify that. Hindsight is 20/20 and I can see the flaws clear as day right now, but not when I was tired at 3 AM, depressed, and absolutely terrified of losing my Steam Account (which is basically my entire life).
Stage 2:
The chat with the "Administrator" on Discord begins, and honestly, I should have just stopped here. But I guess in my naivety, I still trusted me friend. You can watch the video for the full chat history.
The scammer requested my payment history on steam to "check for illegal payments", so I provided it without my account name first. After being told to include the account name, I foolishly complied, and that is likely where my account was first compromised.
Stage 3:
The scammer told me that my account was pending a Ban and would deleted entirely. At this point I was terrified, emotion took control and I fell into the trap. Somehow, my account was indeed banned, I verified this with Steam's website and Steamid.uk. I have no idea how this came to be, but I am assuming some trickery with the report system was abused. At this point: I thought that because he was able to verify my account being banned and show the "admin controls" (see video), that he was truly a Steam support agent: An enormous error in judgement on my part.
Stage 4:
The scammer told me to log out of all of my devices. I said I couldn't log out of all of them as I have too many to manage, so he suggested to change my password. I changed my password. I first "de-authorised" all devices, and the process of doing that removed Steam Guard Mobile App Authenticator from my account. A huge mistake.
UPDATE: The scammer linked a what I think is a SPOOF website as below: I have double checked and the website is could be a Phishing Link, the connection is not secure despite HTTPS as on the actual Steam support link at help.steampowered.com.
UPDATE2: I can't verfiy if the below "advice" is legit or not. if it was a phishing website it could explain how they got my Password.
Stage 5:
I changed the password and the scammer asked me for an SMS confirmation code that was sent to my phone. At this point, he was likely resetting my email/phone credentials and gaining full access to my account. I cannot put it any other way: I was a fool to even consider the possibility of providing the 2-Factor Authentication code, but I did because I was emotional and scared. Emotions control me and this time they messed with my thinking. I will be clear when I say, I knew this from before but:
NEVER DISCLOSE 2FA CODES. EVER. EVER.
Do not make the same huge mistake / judgment error I made, this is likely the turning point of my account hijack.
Stage 6:
The scammer now has control of my account, and he will use that to essentially hold me hostage. At this point, I am in so deep I am confused and emotional, I don't know what to think. The scammer requires me to purchase a Gift Card to "verify my account" by adding Steam Funds to it. Now, this isn't quite as crazy as you might think, as Steam does have something similar in place (see video for how he presented this), and I will say now it looked legit. However, yes, I made a monumental error in judgement (emotions screw me up) by going ahead with this.
The scammer became very impatient, another really huge warning sign of a scam, but yet I just felt he was a over-worked support agent (naïve, dumb of me) and he even called me on Discord (something I don't usually do, but emotions overthrew the social anxiety at this point) and he was very convincing at the time.
Stage 7:
I purchased the Gift Card for around 120 euros, and the scammer demanded to see the code to "verify my account". I, like a fool, showed him the code. At this point the scammer started playing the game "Valorant" on his Discord account, and I knew I hade made a grave mistake as the reality kicked in, that I was played for a fool.
It wasn't until he demanded yet another 120 euro gift card that my logical brain kicked down the emotional door and said "HOLD UP", but by this point it was already too late. The scammer had almost certainly redeemed the code and was enjoying the benefits in a game / some other activity on steam. As I said before, please see the video for the full transcript and history.
Stage 8:
The scammer becomes increasingly impatient and continues to threaten to delete my account, he had said there was a 1-2 hour time limit before my account was "locked" permanently. After I'm finally able to see logic and reason, he blocks me.
Conclusion & Lesson well and truly learned.
This has been a huge lesson for me, in trust and in keeping a cool head, knowing my rights and just how Steam (or any company, for that matter) would actually approach such an issue.
The scammer got his money, and I hope he has a great time using that in a game, because I did pay for it after all, but he did teach me a (traumatic) lesson I will never forget.
The big take-aways from this lesson that must be made perfectly clear are:
Never, under any circumstances, disclose Passwords, Usernames or 2FA codes to anyone.
Steam or any company, will NEVER ask for them, and they do not use 3rd party chat apps like Discord to facilitate these situations.
I will notify the relevant authorities.
Fool me once, shame on you (and me being dumb at 3AM)
Fool me twice, shame on me, though.
UPDATE I made a video here:
Comments