How to prevent Steam API key scam and how it works?

Samstag, 29. Januar 2022

You may have noticed that your friends on Steam have suddenly started sending you scam links and inviting you to enter contests.

When you get a link, it's usually with some excuse like a contest or tournament. Do not open this link under any circumstances! It is a fake copy of the Steam page, also known as phishing, which nowadays can be 1 to 1 identical to the official one.

What is the target of the attackers?

As it happens, the attackers are trying to get money from your account.

If you have a balance in your Steam wallet, it's likely that an attacker will list a worthless item on the Steam Market from the other account for an exorbitant amount and buy it from your account. What does this accomplish? He'll transfer money from your wallet to his account. Currently, Steam does not require any confirmation when making a purchase on Steam Market.

Another goal is to get in-game items (CS:GO skins). We will describe this method in the article below.

How do I know if it is a fake login website?

Identical copy of the website aka. "phishing"

There are many ways to tell if it's a fake site, we'll list the most important parameters to watch out for here.

Fake login sites require you to provide authentication information (username and password) to get into you account. The official Steam site doesn't ask you to do this if you are logged in (see screenshot). If you know you're logged in on the official Steam site and you don't see pre-filled information for the Steam login, you can be sure it's a scam and don't log in to such a site! There is one cardinal rule here, and that is to always log in through the official Steam site, then only confirm the pre-filled details.

Always check the address you are at in your browser before logging in. The most commonly used official Steam addresses are steamcommunity.com and steampowered.com. Scammers will try to trick you into making the page as identical as possible, so they may change some of the letters in the domain they own. You may not notice this typo at first glance, so you need to check this first before logging in. An example would be steamcomnity.com apod. Also, the security lock icon may help you to check. Don't just rely on the lock 🔒 Podvodne stránky si toto zabezpečenie môžu zohnať.

this is what the pre-filled data looks like

Fake pop-up window

A popular practice is the fake pop-up window that is part of the site. What is it? It's a pop-up window that pretends to be a browser window, but is actually just part of the site itself. The window is coded within the site, so scammers can put whatever they want in this window. In the end, this window can pretend to be the official Steam site. There's one thing that scammers can't fake. This window can't be "dragged" out of the page, as it is part of the page. What this means in practice is that it always gets stuck at the edge of the page and cannot be dragged over.

These fake windows usually do not have an identical bar design to your browser's bar design. If the design of your browser does not match the design of the pop-up window, it is likely to be a scam.

browser bar design



design of the right pop-up window (in the browser)



design of the fake pop-up window (it can be observed that the design of the bar does not match the design of the bar in the browser)

Always check that the pop-up window is open in your browser. How to do it? Hover your cursor over the browser and if you see the Steam window there, you know the window is not fake. The popup window may not be fake, but the website in it is, so you should always check to make sure it's not phishing


check if the window is open in the browser

What should I do if I have logged into a fraudulent site?

If the attackers did not manage to steal your account, please change your password immediately. If you do not have two-factor authentication Steam Guardactivated, please activate it. The attackers probably stole and generated an API key for you. Deactivate it here so they can't use it to rob you of your in-game items (CS:GO skins, etc.). If your account has been stolen, contact Steam Support here

How does this scam work?

The moment you enter your login credentials on the fake page, a request is sent to the bot that logs into your account. The bot then generates an API key through which it can send and cancel trade offers on your behalf. It can't validate these offers, but you have to do that through your Steam Guard.

The most dangerous thing about this type of scam is that you, the victim, may not know if the attacker has your API key. The moment you want to gift an in-game item to someone, the attacker will cancel the offer via your API key and instead send the same identical offer, only the recipient will be them and not the person you are sending it to. You might think you'd notice if it wasn't the account of the person you're sending it to. Attackers have thought of this as well, and the moment an attacker sends the same offer to himself for you, he changes his profile picture and name to the person to whom this item was originally intended to be sent. This is all done by a script for the attacker, and it all happens in a second and virtually unnoticed by you. Again, here comes the thing that the attacker can't fake, and that is the registration date of the account you're sending this to. Check that when you finally confirm the deal in Steam Guard, and if it doesn't match, it's a scam and follow phishing.

Finally, the bot uses a script to start spreading this fraudulent page through your account in an attempt to lure more people.