An elaborate scam is underway that pretends to be a free game giveaway site, but instead hacks a user's Steam account, takes control over it, and then incorporates the new victim into their attack by targeting other players.

The scam works by attackers hacking into Steam accounts and sending messages to the victim's friends that they can get a free Steam game by going to a site and entering a promo code.

Steam message promoting scam site

When a user clicks the URL they will be brought to the URL http://steamsafe.fun/?ref=freegame, which will then redirect a user to one of the attacker's currently working scam sites. These sites, shown below, pretend to be a giveaway site for free Steam games.

Roll for a free game

When a user clicks on the Roll button, the site will pretend to select a random game from a list of of popular ones such PUBG, CSGO, Tropico 4, ARK: Survival Evolved, Assassin's Creed, and more.

It will then display part of a Steam code and state that you need to login to Steam to claim the game.

Won a game

When a user clicks on the login button, it will show a fake Steam single sign-on (SSO) login page that looks like it's from the Steam site, but is actually hosted on the scam site.

Sign in with Steam account to claim code

If you enter your credentials, the site will use them in the background to try and login to the user's Steam account. If Steam Guard requests a code, it will popup and ask the user for the code sent to their email address or provided by their 2FA app. This allows it to bypass 2-factor authentication that may be setup on the user's account as they are providing the attackers with the code.

Enter Steam Guard code

If a user falls for the scam and enters their code, the site will perform a behind-the-scenes and automated attack that logins to their account, changes the password, changes the associated email address, and changes the associated phone number. They have now essentially stolen your account.

The attackers will now use the stolen account to further spread their scam to the victim's friends list and to potentially steal the items in the victim's Steam inventory.

This leads to a repeated cycle of promotion through hacked accounts for the attackers.

Testing the scam

BleepingComputer tested this scam site with a Steam account and after entering our credentials, the site logged in and changed my account's email.

When an account has their email address changed, Steam will send a notification to the original email address that includes the country and address of the person who made the change. As you can see below, the IP address was 188.119.12.154 and is located in Russia, which is not my computer's IP address or country.

Attackers change your email

In addition to the email address being changed, the phone number will be changed as well, which will be shown through a notification sent by Steam.

They also change the phone number

Thankfully, if your account is hacked in this manner, you can open a account recovery support ticket and Steam will help you recover the account.

Unfortunately if the attackers steal or trade away the items in your inventory, Steam's Item Restoration Policy states that they will not restore any lost items.

Steam Support will no longer restore lost items. Items often exchange hands multiple times before a restoration request and this means they cannot be restored without duplicating them or removing them from another innocent user’s inventory. Duplicating items has a negative impact on everyone who trades or uses the Market by lowering the value of items.

Protecting yourself from Steam scams

Attackers are becoming more crafty and designing attacks that make it difficult to tell if you are entering your credentials into Steam or the scam site.

Knowing this, the general rule is when logging into a site via Steam, you must only do so if you are on the https://steamcommunity.com web page as shown below.

Legitimate Steam login page

If you are any other page, or it does not show an address like this scam did in their popup, then you should never enter your credentials.

Furthermore, Steam suggests that all accounts configure 2-factor authentication through the Steam Guard Mobile Authenticator app to further secure their account. Unfortunately, in this particular scam, the attackers would still be able to bypass the 2FA as they ask you for your Steam Guard code and will be able to login if it is provided.

Thx to Quoc for the tip!