How to Secure Your Steam API Key from Scam Attacks
The number of phishing bots and websites has drastically increased in recent months. Man-in-the-middle attacks are aimed at intercepting and collecting users’ ID and authentication data to then gain access to their funds and other assets, like your in-game items on Steam.
Notorious social engineering tricks seem not to be effective anymore, at least to experienced users, since Valve introduced its cybersecurity weapon, the Steam Guard.
Two-factor authentication makes it far harder for cybercriminals to steal or otherwise misuse your personal account data. All transactions between users on the website thereby must be approved via email or, preferably, via a user’s smartphone.
Unfortunately, cyber fraudsters invent new ways to deceive gamers. One of the new phishing threats to users’ accounts on Steam is the Web API Key scam. It also holds true for any other digital marketplace, where personal API keys are used to confirm transactions.
Here is how a typical scam works:
- Scammers profile and target their potential victims by leveraging public Google ad tools like keyword research and analysis to collect information on popular websites and marketplaces mostly visited by gamers and others.
- Once the search results of a common gamer are measured, the cybercriminals make use of direct ad means like Google AdWords to ensure top rankings for their counterfeit websites. A phishing site’s web address always looks almost identical to the authentic one, except a few added or misspelled symbols.
- A misguided user clicks the top link on the search results page, which is not a genuine one, and leads him to the phishing website.
- Fake sites usually fully imitate the original UI, home and landing pages, asking the deceived users to authenticate and leave their personal data like a login and a password. That’s where scammers jump in to steal user accounts.
- When the account data is retrieved, cybercriminals get full control over scammed Steam accounts and receive Web API Keys to monitor further transactions.
- The scam will come into action as soon as a user decides to purchase or sell his in-game items on Steam or any similar marketplace.
- Once a legitimate trade offer is sent by a Steam bot to the user, a scam bot immediately cancels the trade and initiates his own fake offer, sending it to the user’s mobile phone or email address.
- Since the fake and the real trade offers look quite identical, the victim confirms it with his email or a mobile phone authentication app. From now on, all the items are gone forever.
- If the victim checks his trade history, he may see there are two trade offers, the real one getting rejected.
With this in mind, let’s figure out what a regular user can do to prevent such a fraud so to keep his Steam account safe and sound from scam attacks?
There is almost nothing to do about listing phishing websites in Google top search rankings, except sending complaints to tech support services. However, users can protect their own Steam accounts by following some simple steps.
4 ways to avoid scam threats
A rule of thumb here is “better safe than sorry”. There are several simple things you can do beforehand to protect your Steam (or any other) account from getting scammed and stolen.
- Authentication only via Steam and trusted websites. To minimize your chances of getting into serious trouble with phishing websites, log into your Steam account on Steam only, or, at least, on marketplaces, which you are confident about. Keep an attentive eye on the website link you are about to click. It is always far safer to authorize with Steam first, no matter what in-game trade marketplace you are eventually going to use.
- Password change. This is a great way to terminate your current session on Steam and block scam bots from accessing your account. You can alter your Steam login credentials in two ways – by clicking ‘Forgot password’ or ‘Change my password’ options. The first variant is preferable, since it allows you to continue trading on Steam without any trade suspension period.
- Revoke Steam Web API Keys. If your account is scammed, the API key is obviously in the fraudsters’ database. So visit your user’s page on Steam, call back your current API key, and let Steam generate a new one instead. Take up the habit of regularly changing your Steam Web API Key to ensure your account is safe and not exploited by cybercriminals. Here you can revoke and re-generate your keys.
- Check sent trade offers. Visit your Steam user page and go to this page every time you have offers to be confirmed via your mobile phone or email.
Remember that the security of your Steam account is primarily your own duty. Follow our instructions and enjoy a great time trading your in-game items in a secure and transparent way.