Recently there have been many reports about skins missing from the account, which looks like this: the user sends skins for sale or exchange, but they do not arrive to the addressee. This can happen if fraudsters have gained access to the account's API key and spoof trades. Learn how it works and how to protect your account.
What is an API key
An
API key – is a unique combination of letters and numbers that allows you to control your account. It is used to identify the account. This means that if an attacker managed to get hold of your key, they will be able to spoof your trades. As a result, the items you send to another person will end up with the scammer or, on the contrary, you will not receive the skins that were sent to you.The account does not have an API key by default. It is not needed for sending trades and other normal actions in the account – it is used by developers, for example, when creating applications that interact with Steam. To check if you have such a key, go to https://steamcommunity.com/dev/apikey. If the key is not created, a similar page will be displayed:
If you see it after the link, there is nothing to worry about. You don't have an API key attached to your account, which means attackers can't use it to gain access. If you have a key, we advise you to remove it (click «Revoke API key»), log out on all devices (you can do it via Steam Guard app) and change your account password.
How fraud occurs
Nowadays user accounts
are
protected by Steam Guard, so it is difficult for fraudsters to directly access their management. They use a multi-step scheme, tricking the account holder himself into giving them access. Here's how it happens:A user goes to an unverified site that requires them to log in with a Steam account.
This site steals the account data and embeds an API key on it.
The key is used to spoof the trade. Now, no matter who you send skins to, they end up in the hands of scammers.
Because many users are already aware of this scheme and are cautious, scammers are coming up with more complicated moves. The essence of their actions remains the same - to get the user to first log in to the phishing site and then send someone an exchange. But attackers use social engineering methods, i.e. they gain the trust of players and persuade them to perform the desired actions, for example:
A player whom you do not know personally offers you to take part in a tournament on a third-party site. He says that supposedly they already have a team assembled and are only missing one member. Often, he communicates with the player for several days or even weeks beforehand, so that trust is established between them.
Authorization on the site where the tournament is supposedly held leads to the same consequences – appearance in the account of an API key available to the attacker.
The scammer then convinces the player to transfer the skins to another user under some pretext. For example, he tells you that you can't play in a tournament with too expensive equipment, and you should give some of the items to someone you know. A player sends skins to someone he trusts, but they don't arrive to the addressee because the scammer intercepted the API key and spoofed the trade.
. At the same time, if you look at the history of trades in the account, there will be two exchange offers with the same items – one of them for the real addressee, and the other – for the scam bot. Scammers use information from the user's account and substitute the bot's nickname and avatar so that it is indistinguishable from the real recipient.
As you can see, the scheme is the same, but because it is hidden behind many other actions, it is harder to recognize. Now the scammers are willing to spend more time to gain the trust of the player and get access to his account. The main thing for them – is to get the API key, and after that they use different methods of persuasion.
For example, in addition to the option described above, they can write on behalf of Steam support and accuse the user of receiving stolen items. To be convincing, they may remove friends from your account and add a note to your description saying that suspicious activity has been seen. Then they convince you to send items to one of your friends to verify your account, and then everything follows the same pattern.
What to do to avoid
gettingcaught
Thus, to get skins, scammers pursue two goals – create an API key on the player's account, and then force him to confirm the exchange. To disguise these actions, they can make up some pretty convoluted stories. Therefore, in order not to lose valuable skins, observe the following rules:
Read reviews about the site on third-party resources before logging in via Steam. Do not participate in dubious tournaments.
Be careful when communicating with users you don't know personally. Be careful of the links they send you. Look for information about them before clicking on them or performing any actions on these sites.
Periodically check to see if your account has an API key, so you can spot suspicious activity in time.
Be careful if someone writes to you on behalf of Steam support. If such messages come through regular chat, they are scammers. Real support staff will not add you as a friend or chat with you.
When clicking on links, make sure you are not on a phishing site. Often the link in the address bar may differ from the genuine one or two letters.
When sending items to someone, carefully check who you are sending the trade to.
Use only trusted third-party sites to sell or trade skins.
Follow these rules and your account will be safe.
