Today we want to tell our customers about a scam called Steam API Scam. It started to be used back in spring 2018, but some users still fall for this trick, that's what this article is for.
What is Steam API Scam?
Scammers
steal the API key from your account and use it to manage incoming and outgoing exchanges. They replace the original exchange, with a fake exchange that sends things already to their bot. The scammers' script copies the bot's name and avatar, and even the exchange message.How can
theysteal my API key?
It's all the fault of fake authorization windows, they ask you to enter your login, password and Guard code, this is enough for the script to create an API key and use it in the future. The window is almost no different from the original, BUT there are still differences:
1). The window is made as an html element on the site and you cannot move it outside the browser. (Not always)
2). The authorization link is fake. Should be https://steamcommunity.com/openid/login?openid.ns=
3). You are asked to log in even if you are already authorized in your browser.
4). You can't change the language of this window
How are they stealing my items?
1). Our site sends you the exchange and you confirm it.
2). As soon as you confirmed the exchange in your browser, while you're busy logging into your mobile authenticator to re-confirm it - their script has already replaced the original exchange with the fake one and confirmed it itself.
3). When you go into the mobile authenticator and see the confirmation to send items - it's already a fraudulent exchange. Most of the time people don't notice it and give away their stuff themselves.
We can't control
that
your API key is not stolen, but we have tried to warn you as much as possible.
As soon as the original exchange is rejected and our system receives this information, a sign will appear on our website with detailed information and you will hear an audible notification.
Unfortunately, this will not help users who make the transaction from a cell phone, as at this point their browser will be minimized.
What should I do if I have already given my API key to scammers?
1. Change your Steam account password
2. Remove the API key https://steamcommunity.com/dev/apikey
3. Check that the key is not re-created and your exchanges are not replaced with fake ones.