Hello everyone,
Today we will be talking about the “Steam Web API” scam, how it works, and how to prevent yourself from falling victim to it.
What is it?

The Steam Web API scam is a sophisticated scam that takes advantage of Steam API keys to impersonate popular services and take items off unknowing users. The scam takes advantage of a user’s trust to gain access to their Steam account and API keys.

As with most scams of this type, the scam begins by deceiving users and having them log into a counterfeit version of a legitimate website (also known as a phishing site). These sites are made to look very similar to the sites that they are disguising themselves as, and may contain the same images, colors, basic functionality, and more. Most often, the user is prompted to login to their Steam account on the site. This login page will not be using Steam’s OpenID authentication, and instead will send login credentials directly to the owners of the phishing site. After the user has submitted their username and password, they will be prompted to provide their 2 Factor Authentication (2FA) code sent through email or through the Steam app on their phone. After the user submits this 2FA code, the bad actors will log into your Steam account and automatically obtain your Steam API key (found here).

Once this API key is obtained by the attackers, the attackers can cancel trade offers on behalf of you. The most common application of this is the attacker cancelling incoming trade offers from known sites (such as Arcade.tf), and instead sending their own trade offers to you. As the user, you may not notice the contents of the trade offer and may accept it out of habit, resulting in your items being given to the bad actor. When these attackers send the trade offers, they often mask themselves as bots from the site you are trading with, even going so far as to change their names, profile pictures, etc.

Below is the common attack flow used by attackers to prey on active traders:

  • 1. Attackers create a near-perfect replica (phishing site) of a common trading site and place the site on a domain that is like the trading site’s domain. For example, “arcad.tf” instead of “arcade.tf”.
  • 2. An unsuspecting user navigates to the phishing site (in our example, “arcad.tf”) and is prompted to login using their Steam credentials.
  • 3. The user logins in and provides their 2-Factor Authentication code.
  • 4. The attacker automatically logs into the user’s Steam account and fetches their Steam API key.
  • 5. Some time passes…
  • 6. The user later goes to the legitimate trading site (“arcade.tf”) and creates a trade offer with one of their bots.
  • 7. The attacker automatically cancels the trade offer on behalf of the victim using their Steam API key and creates their own trade offer. This trade offer made by the attacker may be one that gives all the user’s items to the attacker. The trade offer may be sent from an account that is disguised to look just like one of the bots from the site the user is trading with.
  • 8. The user accepts the trade offer, unbeknownst to them that it was sent by the attacker.
  • 9. The user loses their items.
How do I prevent myself from falling victim?

Here are a few common ways to prevent yourself from falling victim to the “Steam Web API” scam:

  • 1. Access sites directly if possible and avoid search engines. You can safely and directly access Arcade.tf by navigating to https://arcade.tf/. Do verify that you have not made any mistakes or typos when entering the URL into the address bar.
  • 2. Never enter your Steam login information on a site that is not an official Steam site. Steam uses the “OpenID” authentication system. This means that you can safely log into Steam and your session will automatically be recognized by any site using Steam’s OpenID authentication. If the site prompts you to enter your credentials even after logging in successful on the official Steam site, it may be a phishing site.
  • 3. Verify your trade partner for every single trade you make. Arcade.tf makes this easy by providing a list of all our bots (found here ). Bots not listed on that page are not legitimate Arcade.tf trading bots.
  • 4. Never click on suspicious links sent by other users. This includes links sent on Steam, Discord, and other communication channels.
I think my Steam account may be compromised!

Follow these steps to regain control of your account:

  • 1. Change your Steam password: This will remove any unauthorized access from your account. You will not get a trade ban or trade hold if you change your password while already logged into your account.
  • 2. Revoke any API keys: Visit this and click "Revoke My Steam Web API Key" if that button appears.
  • 3. Sign out from all devices: Visit this and deauthorize all devices except your current one.
Afterword!

If you have any questions about this scam or other scams, please be sure to contact us in our Discord.

Thank you for reading and stay safe out there! - Bon