PSA: Spreading awareness of a phishing scam I got hit with today in steam/dota.

Windranger DOTA 2 Hero Warriors Ice

Hey all! I wanted to spread some awareness of a phishing scam I got hit by today. This doesn't have much to do with dota, but it was a friend I'd made through dota and the scam was related to dota content.

One of the friends on my steam friends list, who plays DotA, sent me a link while I was playing a match today, asking me how I was doing, and congratulated the new year to me. I took a bit to respond but said hi and chatted briefly. Eventually the conversation turned and he asked me to vote for him and his dota team so he could qualify for a tournament. This sounded weird to me, but I was like "sure, how?" and then he sent me a link to a website and gave me a couple simple instructions. I'm not posting the link since its probably not safe to post. Regardless, the website looked legit at a glance. I pressed vote and I was prompted to sign into steam.

Big mistakes here. The steam form looked incredibly legit so I signed in. (the forms did not autofill though. Big giveaway in hindsight) I got hit with my steam guard authenticator code except something was off: my code to sign in wasn't working because the form only accepted numbers. And then I got a text instead that said "…. use this code: #####". I entered the code without reading the rest of the text and the form got submitted and the website said: "vote submitted."

This is when my red flag signal was blaring: the website didn't register that I was logged in despite saying my vote was submitted. The login at the top right still said "log in here". Then I took a look at the text I got: it said "To unlink your steam guard authenticator, use this code: #####". My god did I feel stupid. I checked my email quick and my steam authenticator was confirmed moved/deleted.

I fucking panicked. I quickly logged into steam, changed my password. Twice. Fumbled so hard trying to log in on my phone steam locked me out from trying to sign in. Changed my email password. Panicked and cursed under my breath cause I couldn't log into my phone to add the authenticator back online. 20 minutes later I realized that I could exit my wifi and sign in through my data on my phone. This worked, and I got my mobile authenticator back online.

After all that, I feel like an idiot, but so far I can't see any damage done to my account. Thank god for steam's security as I believe the hackers would have needed my email information to do any real damage. I'm still on the lookout for any potential flaws or missing things, but I think I'm safe.

So ya, stay vigilant out there. A deeper look into this website and it would have been SUPER easy to see that it was fake, but the guy played it off well as a: "can you do this small favor for me quick? Its really fast and simple." And I bought into that.

Source: https://www.reddit.com/r/DotA2/comments/ru3wrm/psa_spreading_awareness_of_a_phishing_scam_i_got/

leave a comment

Your email address will not be published. Required fields are marked *