{"id":38691,"date":"2021-02-08T13:17:35","date_gmt":"2021-02-08T18:17:35","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=38691"},"modified":"2021-09-17T07:33:01","modified_gmt":"2021-09-17T11:33:01","slug":"tales-from-steam","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/tales-from-steam\/38691\/","title":{"rendered":"Steam and mirrors: How gamers get duped"},"content":{"rendered":"

People learn more from their mistakes than from cautionary tales of scam and fraud, so, for today\u2019s security postmortem, we collected edifying tales from real-life gamers. Here are four from victims and one from a perpetrator.<\/p>\n

Gift fraud<\/h2>\n

Mikhail Mad_Bucket, 23, translator:<\/p>\n

\u201cAbout seven years ago, something pretty interesting happened to me on Steam\u00a0\u2014 technically a scam, but not really. In Team Fortress 2<\/em>, there were these weapons that counted kills, and I wanted to sell a dropped crossbow that had this gizmo. Then a stranger on Steam offered to trade it for the game Eets<\/a><\/em>.<\/p>\n

\u2018Wow, a game for a weapon!\u2019 I thought. We exchanged, I installed Eets<\/em>, and everything seemed OK. But then I went to this guy\u2019s profile, and there in caps it said: \u2018GUYS, FREE EETS FOR WHOEVER WANTS IT.\u2019 It turned out that some site was handing out keys for the game just like that, as many copies as you liked.\u201d<\/p>\n

Moral:<\/strong> If you are offered a free or very cheap game, go to the developer\u2019s or publisher\u2019s official website and see if it mentions the promotion. If it does, buy or download the game there\u00a0\u2014 no need to take unnecessary risks. Our hero was very lucky that, in exchange for the weapon, he got a real copy of the (free) game, and not an army of Trojans<\/a> or a fake key.<\/p>\n

If your goal is to avoid paying for computer games, check out our guide to no-risk free gaming<\/a>.<\/p>\n\n

Malicious apps and account hijacking<\/h2>\n

Anonymous, 17:<\/p>\n

\u201cI\u2019ve had two run-ins with scammers. The first time, I found a program supposedly for boosting items in CS:GO<\/em>, which imitated the Steam login screen. I was 10, I didn\u2019t really know what I was doing. I entered my details, they leaked, my account was almost stolen.<\/p>\n

Back then, accounts with items got hijacked really quickly. Then, in a different account, I started crafting stuff in CS:GO<\/em>. I got an AWP Redline and a M4A4 Asiimov in about two hours, as I recall. Just 20 minutes later the account was stolen, and the items got gifted away. I don\u2019t know how it happened\u00a0\u2014 maybe they hijacked a database somewhere. Btw, tech support still hasn\u2019t returned that account. To be honest, I remember those times with horror\u00a0\u2014 login without 2FA and poor-to-average Steam support.\u201d<\/p>\n

Moral 1:<\/strong> It\u2019s not safe to enter credentials in third-party services, especially if they promise mountains of gold or illegal benefits such as a rating boost\u00a0\u2014 you risk having your account hijacked. Avoid installing dubious apps as well; what looks like cheats and bots may really be malware.<\/p>\n

Better still, use a security solution<\/a> that stops malicious apps in their tracks, blocks fake sites, and wards off other evils<\/a>.<\/p>\n

Moral 2:<\/strong> Creating a strong and unique password<\/a> for each service you use is critical. Make each one strong, so it can\u2019t be brute-forced, and make it unique so that in case of a leak, your other accounts won\u2019t be lost. If coming up with and remembering key phrases is problematic for you, use a password manager<\/a> to securely store your passwords and automatically enter them for account login as needed.<\/p>\n

For more protection, enable two-factor authentication. That way, to log in to your account, you (or anyone else) will need not only the password, but also a one-time code, making it harder to hijack. See our posts on how to activate this and other security features in Steam<\/a>, Origin<\/a>, Battle.net<\/a> and Twitch<\/a>.<\/p>\n\n

Social engineering: A cybercriminal\u2019s tale<\/h2>\n

Alexander, 28, SAP programmer:<\/p>\n

\u201cBack in the early days of Lineage II<\/em>, some friends of a gullible classmate of mine decided to initiate him in the ways of this MMORPG. They created an account for him and poured in a lot of money (at least by high-school standards). They bought him D-grade gear [better than standard\u00a0\u2014 ed. <\/em>] and secretly completed first class transfer quest. As a guy always looking to profit at someone else\u2019s expense, I offered to help him with the second transfer.<\/p>\n

He was clueless about the game but itching to get hooked. After class, I went to his house and, pretending to do a class transfer quest, killed a couple of skeletons and chatted with a guard. In an important-sounding voice, I told him that the job was done and asked for his \u2018outdated gear\u2019 as token payment. He happily handed it over. We bought him a wooden sword in return, and I left with a feeling of accomplishment.\u201d<\/p>\n

Moral:<\/strong> If someone offers to do something for you, make sure you fully understand what it is and whether you really need it. Find out the price right away\u00a0\u2014 it may not be worth it. And never let gaming pros into your computer or account \u2014 even if they are \u201cfriends.\u201d Although the narrator of this tale showed some restraint, you can\u2019t count on a real scammer to spare victims.<\/p>\n

Account hijacking with TeamViewer<\/h2>\n

Anonymous, 20, student:<\/p>\n

\u201cBack when I was a kid playing Counter-Strike: Source<\/em>, I found this 35hp server where there was this dude in an Iron Man skin. His ragdoll made these cool metallic sounds upon dying. You could say I was impressed. I asked in the general chat how to get this type of skin, and the server admin said the model was only for admins, but just this once I could have it free.<\/p>\n

He activated the skin for me on the server, and everything seemed fine, but then he wrote that the model had to be activated on Steam so it wouldn\u2019t disappear. At his suggestion, I installed TeamViewer and gave him access to my computer. He connected, opened Notepad right on my desktop and wrote what to do there. To cut a short story even shorter: I gave him my account details, he logged in supposedly to activate the skin, and that\u2019s how I lost my first Steam account.\u201d<\/p>\n

Moral:<\/strong> Installing third-party software, let alone handing over control of your computer to a stranger, is a big risk. As for giving out your account username and password, don\u2019t do it, even if you\u2019re promised a cool feature or a fix for a serious issue, as tech-support scammers<\/a> do. If you need help from a tech-savvy friend, let them explain verbally how to solve the problem.<\/p>\n

The world\u2019s shortest tragedy<\/h2>\n

Hermit Purple, 18, professional commenter in VKontakte communities:<\/p>\n

\u201cI was playing Digger Online<\/em>, logged in to the server. The admins said: item or ban. I bought them an item, but they banned me anyway.\u201d<\/p>\n

Moral:<\/strong> No moral here; we can only sympathize.<\/p>\n

\"Midori<\/a>

Midori Kuma commiserates<\/a> with gamer victims<\/p><\/div>\n

How to guard against gaming scams<\/h2>\n

Gamers who want to keep their money, gear, and accounts need to:<\/p>\n