We are here to discuss how to protect yourself from CS:GO skin scam. Not only does the topic not lose relevance every year, but it is gaining more and more momentum. And even the fact that Valve put in draconian account protection measures — doesn't always save the day. And all because 90% of scam schemes are based on either user's gullibility or knowledge of Steam API. That's what I'd like to talk about.
In any situation, always keep track of where and for what purposes you enter the Steam API key, as well as the confirmation code from Steam Guard. Use only trusted programs and sites. Ours can be — we fight bots ourselves on a regular basis.
Howthings are hijacked via API key
How does a classic account hijacking work? You've skinned some site with «instant» crediting. As a result, several hours have passed and the funds have not been credited to the account. And no one's thinking of returning the items in your inventory. The only problem is that the verification code of the trade was correct and there is no way a person could have screwed up.
That's the thing, he could, only much earlier and due to inattention. It happens as follows:
-
You click on the button to replenish your account;
-
The bot sends you a trade with a secret code;
-
A fraudster who has access to the API key receives this very code and with it all the information about the trade (code, bot name, items to be transferred);
-
Using the user key, the attacker cancels the genuine trade and instantly sends a new one, changing the nickname of his own bot, while the verification code remains the same and the list of items — is identical (if you know the mechanics, it's a matter of 1-2 seconds);
-
You accept the new trade without even realizing the trick, because everything is automated.
As a result — no skins, no money. So most importantly — always keep an eye on the bot's nickname and avatar. It is much longer and more problematic to forge them, so it is a kind of indicator.
What is an API key and how is it recognized?
API-key — is a unique combination that gives access to various actions on your Steam account. Scammers use it to obtain data on trades to cancel the original trade and substitute it with a fake for their own interests.
It is unfortunately not difficult to find out the information. For this purpose, attackers have a lot of phishing portals with an authorization form that perfectly copies the original site. So all attention to the domain name — is the first place where trouble happens.
.
The procedure is banal:
-
you are lured to the fake site by freebies, or cross-references from a promoted resource;
-
you enter login and password from «familiar» platform;
-
you get a verification code from Steam authenticator;
-
the other side of the network intercepts the request, instantly substituting an API key that will be used by a third party.
Here's a classic example of a phishing site with an explanation of the key inconsistencies.
Option two — extended.
You can't get a key without user action — remember this.
How to check your account for potential loss of access rights
If you want to know how to protect yourself from CS:GO 2021 skins scam, follow the following link and check if your account has an API key generated.
https://steamcomunity.com/dev/apikey
And we are more than sure that no one bothered to read the title of the link in full, and went to click on it and got bumped to a non-existent site. That's how gullible gamers get caught. The original link is here — https://steamcommunity.com/dev/apikey
If the user's account is clean, no key will be there. But if there is a value, and you did not create it yourself — account is hacked with 100% probability.
The second way to check account protection — is to sell some item from your account using our service Lis-Skins.ru. Before confirming the trade in your phone, don't forget to go here
http://steamcommunity.com/id/me/tradeoffers/ (this time the link without a trick)
If there are two identical trades, where both of them have the same verification codes, and one of them is canceled — account is hacked finally and irrevocably.
How to return items if the account is hacked
You can long and hard beat the virtual thresholds of Steam support, but the chances of canceling such a trade are always zero. Furthermore, you won't get any compensation from the marketplace because it's not Valve's responsibility. Instead, the operator will once again say that it is forbidden to enter confidential information on third-party unverified resources.
Is there any way to prevent such cases in the future? Kind of. If you have not created an API key, and in principle do not know what it is for — go to https://steamcommunity.com/dev/apikey and delete the key by clicking on Revoke My Steam Web API Key.
After that follow this link — https://store.steampowered.com/twofactor/manage. Here you need to «Log out on all other devices», as your account is probably listed on one of the attackers' servers.
Of course, you will need to completely change all the passwords on your account and periodically make sure that another API key does not reappear without your knowledge.
The administration of Lis-Skins.ru strongly recommends sending this article to all your friends and acquaintances who either have already been attacked by fraudsters or seriously fear for the security of their accounts. It won't cost you anything, but you'll feel better.