enenfoo
  • Home
  • PRICE LIST
    • CS2 (LIST)
    • DOTA 2 (LIST)
  • CS2
    • GLOVES
    • KNIVES
    • RIFLES
    • PISTOLS
    • SMGS
    • HEAVY
    • MUSIC KITS
    • PINS
    • AGENTS
    • MISC
  • DOTA2
    • HEROES A-C
    • HEROES D-G
    • HEROES H-L
    • HEROES M-O
    • HEROES P-Q
    • HEROES R-S
    • HEROES T-V
    • HEROES W-Z
    • OTHERS
  • TRADE / SELL
    • UPGRADE
    • CASH OUT
  • PRE-ORDER
  • FAQ
  • BLOG
  • More
    • Home
    • PRICE LIST
      • CS2 (LIST)
      • DOTA 2 (LIST)
    • CS2
      • GLOVES
      • KNIVES
      • RIFLES
      • PISTOLS
      • SMGS
      • HEAVY
      • MUSIC KITS
      • PINS
      • AGENTS
      • MISC
    • DOTA2
      • HEROES A-C
      • HEROES D-G
      • HEROES H-L
      • HEROES M-O
      • HEROES P-Q
      • HEROES R-S
      • HEROES T-V
      • HEROES W-Z
      • OTHERS
    • TRADE / SELL
      • UPGRADE
      • CASH OUT
    • PRE-ORDER
    • FAQ
    • BLOG
enenfoo
  • Home
  • PRICE LIST
    • CS2 (LIST)
    • DOTA 2 (LIST)
  • CS2
    • GLOVES
    • KNIVES
    • RIFLES
    • PISTOLS
    • SMGS
    • HEAVY
    • MUSIC KITS
    • PINS
    • AGENTS
    • MISC
  • DOTA2
    • HEROES A-C
    • HEROES D-G
    • HEROES H-L
    • HEROES M-O
    • HEROES P-Q
    • HEROES R-S
    • HEROES T-V
    • HEROES W-Z
    • OTHERS
  • TRADE / SELL
    • UPGRADE
    • CASH OUT
  • PRE-ORDER
  • FAQ
  • BLOG

BLOG - STEAM API SCAM

TABLE OF CONTENTS:

PART 1: INTRODUCTION TO STEAM API SCAM

PART 2: WHAT IS STEAM API SCAM AND HOW DOES IT WORK?

PART 3: WHAT WENT WRONG?

PART 4: HOW DO I RESOLVE THIS ISSUE IF I HAVE GOTTEN API SCAMMED?

PART 5: PREVENTION (AS A SELLER)

PART 6: PREVENTION (AS A BUYER)

PART 7: PREVENTION (IN GENERAL)

PART 8: FINAL WORDS

PART 1: INTRODUCTION TO STEAM API SCAM

INTRODUCTION TO STEAM API SCAM

Have you ever sent your items through a trade and the other party claimed that he didn't receive them? Or have you ever been on the other end, not receiving your purchases but the other party claimed that he has sent them, even showing you screenshots of trade history that his items were sent out to a profile that looks exactly like yours?


This is unfortunately a very common issue nowadays and it's known as 'STEAM API SCAM'.


This is usually the situation if a party has gotten API scammed:
1. Buyer wants to buy an item from Seller

2. Seller sends a trade offer to Buyer OR Buyer sends a trade offer to Seller, for the said item.

3. Seller confirms the trade on his mobile confirmations page (KEY PROBLEM HERE, will discuss later)

4. Seller informs Buyer that Seller has sent out the item. Buyer checks his inventory but has not received any item. 

5. Dispute happens. 


What happened here? Is the other person trying to scam me? Who is lying? Who, exactly, is the one who got scammed? 


Today we will discuss all these questions and also help you with solutions of how to prevent and resolve this issue from happening.


(Spoiler alert: No you will unfortunately NOT get your lost items back.

PART 2: WHAT IS STEAM API SCAM AND HOW DOES IT WORK?

WHAT IS STEAM API SCAM AND HOW DOES IT WORK?

This is usually the situation of what the Seller got into prior to the current deal:


1. Someone (the true, real scammer) contacted Seller, and asked Seller to enter a site which required Seller to key in his steam login details. The most common trick was via a giveaway or request of help to vote for a contest. 

2. Seller entered the site and tried to link his steam account to the site, but was redirected to a fake steam login page. Seller keyed in his steam ID and password. 

3. Seller received a prompt from his steam mobile app of the mobile authentication code and keyed in the code into the fake steam login site.

4. At this moment, a bot logged in to Seller's account and stayed in there.

5. Nothing happened and Seller forgot about the entire process.

6. The bot now had control over Seller's account using API key, staying silent and only making the moves when Seller sent out items of worthy amount.


--------------------------------------------


The problem comes when Seller tries to send out his items from his steam inventory. This could be days, weeks, or even months after he got hacked. This is the situation:


1. Buyer wants to buy an item from Seller

2. Seller sends a trade offer to Buyer OR Buyer sends a trade offer to Seller, for the said item.

3. The bot that was logged into Seller's account, cancels the legitimate trade.

4. A fake trade offer comes in, with the exact profile picture and display name asking for the exact item. The bot automatically and instantly accepts the impersonating/fake trade offer, waiting for Seller to be tricked to accept the final confirmation button at mobile confirmations page.

5. Seller is tricked by the impersonating account and accepts fake trade offer on his mobile confirmations page.

6. The item goes to the impersonating account. 

PART 3: WHAT went wrong?

WHAT WENT WRONG?

Who is at fault here? Is the other party scamming me? Whose account is the one that got affected?


In my opinion, neither the Buyer nor Seller is the scammer here. It is the person who is sending out the items (the Seller) who got 'scammed'. However, not by the Buyer he is currently dealing with.

Seller has got hacked by someone else some time ago by logging onto a fake steam login site, and has thus sent the items out to the previous scammer. Seller must take steps to resolve the issue. 

WHEN DID IT HAPPEN?

Seller can check when exactly he got hacked by going to his steam app and following these steps:

Help -> Steam Support -> My Account -> Data Related to Your Steam Account

OR

Go to https://help.steampowered.com/en/accountdata

Go to 'Recent Login History' and scroll all the way down to see if there was any login history from foreign countries. 

'Recent Third Party Site Logins' will also help to track whether there was any login activity to unfamiliar site.

PART 4: HOW DO I RESOLVE THIS ISSUE?

HOW DO I RESOLVE THIS ISSUE IF I HAVE GOTTEN API SCAMMED?

As we have disclaimed, it is impossible to get your lost items back if you have sent them out. 

The best thing you can do right now is to stop this from happening further, by logging the bot out of your account and revoking API key.


This is the solution:

STEP 1: DEAUTHORIZE ALL DEVICES

Step 1: 

Go to http://store.steampowered.com/twofactor/manage 

Click 'Deauthorize all devices'

This will log all other devices out of your account, including the bot. 

NOTE: Do ensure that before you do this step, you remember your steam ID and password as you will need to re-login afterwards. 

STEP 2: REVOKE STEAM WEB API KEY

Step 2: 

Go to https://steamcommunity.com/dev/apikey 

If your page does not look like this, and instead has a domain attached to it, click 'Revoke My Steam Web API key'. Once it is revoked the page should look like the above.

STEP 3: CHANGE TRADE URL

Step 3 (Final Step): 

Go to  https://steamcommunity.com/my/tradeoffers/privacy#trade_offer_access_url 

Click on 'Create New URL'

PART 5: PREVENTION (AS A SELLER)

PREVENTION (AS A SELLER)

1. Ask for Buyer's 'Steam Level' and 'Years of Service' beforehand. Make sure to check the details carefully on mobile confirmations page.

2. Take a screenshot of what you see on your mobile confirmations page, and ask Buyer to double check if the details are correct.

3. If there is error opening trade offer page or confirmations page, it is likely that the original trade offer has been cancelled. Always check that there wasn't any trade offer cancelled.

TALLY THE STEAM LEVEL AND STEAM YEARS BADGE

On MOBILE CONFIRMATIONS PAGE, always check that the 'Steam Level' and 'Years of Service' match the ones from the TRADE OFFER PAGE.

Usually the impersonating account will be of very low steam level, such as '0' or '1'. 

If these 2 details don't tally, immediately revoke the trade on MOBILE CONFIRMATIONS PAGE.

PART 6: PREVENTION (AS A BUYER)

PREVENTION (AS A BUYER)

1. Let Seller know your 'Steam Level' and 'Years of Service' beforehand. You can check it on your steam profile page.

2. Let Seller know that if the details don't tally, he should immediately decline the trade.

3. Ask Seller to show you what he sees on his mobile confirmations page, and only after you've checked the details can he accept the trade. 

PART 7: prevention (in general)

PREVENTION (IN GENERAL)

1. Log in to official steam site on your browser first before you enter any 3rd party site. This will allow you to link your steam account to 3rd party site without keying in any of your steam details such as login ID and password. 

2. When you enter a 3rd party site, do not key in your steam ID and password via their redirect login page (Refer to above step).

3. Do not enter any giveaway or help to vote for any tournament, especially if it comes from a Steam Friend.

4. Always ensure that the steam login site has a 'lock' icon beside its URL. If it says 'Not Secured', it is usually a fake login site.

5. Deauthorize all devices time to time and check if there is any API key linked to your account (Refer to Part 3 & Part 4)

PART 8: FINAL WORDS

FINAL WORDS

Steam API scam is not new, but there are still many people who do not know about this, and it can cause very deep misunderstanding and dispute once items are lost. It is important to take precautions by keeping your account safe and checking the necessary steam details so as to avoid losing items or money in a deal. 


Remember that even if a bot's logged onto your account, most likely it has no full control of your trades as the mobile authenticator is only linked to one sole device, which is with you. The final trade confirmation is done on your mobile confirmations page, so do ensure that you check the details of the trade carefully before clicking the final 'confirm' button.


Do not click any random links given to you. Google and research on the sites first!


Share this post with your friends (please credit, it takes a long time to draft and write this) to spread awareness and help people to resolve this issue if they face it.


Stay safe and happy trading!


  • CS2 (LIST)
  • DOTA 2 (LIST)
  • FAQ
  • CONTACT US

Copyright © 2024 enenfoo - All Rights Reserved.

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

Accept