windows is so desperate for people to use microsoft edge that they changed their lock screen thing, which is a bunch of images of nature and it had a button for saying 'i like this image!' or 'i dont like this image!' and i liked saying i like the images because i did

but they changed it so that if you press 'i like this image!' it actually now says 'i like this image! i would like to learn more about it!' so if you press that button, once you log into your computer it automatically opens a microsoft edge search for the location from the image

bitch

Steam Scam Documentation

improved readability + table of contents on my website: https://phal.io/hackers/stean (free easter egg included!)

——————————————————————————————

TLDR – What To Do

Prevention

- Never sign in using Steam anywhere unless it’s a well known site that you navigated to yourself, preferably by manually typing the URL into your browser and saving that URL as a bookmark for later, NEVER sign in on links others sent you, even your significant other whom you would trust with your life because their account could be hijacked or they don’t know they’re sharing a malicious link

- Optionally send the link to an internationally approved computer expert you trust (me?)

- When you confirm trades in the app, always double check both trade contents AND the person you’re trading with (level, friend date) because hackers can automatically replace outgoing and incoming trade offers to go to a different account with the same name and pfp as your original trade partner

When It’s Too Late

- Warn your friends not to click on any link that might be sent on your behalf, check active chats for messages you didn’t send, send/tell them this

- Change your password (if you use your Steam password elsewhere, change those as well, you should be using unique passwords and a secure open source password manager like KeePassXC)

- Log out all sessions in the Steam desktop client by clicking on your name in the top right corner next to notifications and navigating to account details -> account security - manage Steam guard -> deauthorize all other devices

- Open https://steamcommunity.com/dev/apikey in your browser (if you don’t trust my link, which you shouldn’t, simply find out if steamcommunity dot com is the real domain for Steam and then manually type the complete link into your browser), revoke any API key there is if you haven’t created them or don’t know what they are, if you did make them replace them

- Optionally report the link at https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en to make all common web browsers display a warning before loading the malicious site

(Source + further info: https://forums.steamrep.com/pages/hijacking/)

When a Friend Sends You a Malicious Link or Acts Suspiciously

- Try to contact them somewhere outside of Steam and send/tell them this to save their account and to prevent the hijack from spreading further through their friends list

- Warn their friends

Pro Tip

The interwebs are full of malicious links/downloads, even/especially search engine results. To make sure you get the proper installer for programmes/the proper link to log into/purchase something, ALWAYS use the Wikipedia Technique™:

- Open wikipedia.org

- Search for the programme/site/shop/whatever

- Look for the website link either on the right in the summary box or by navigating to the external links section at the bottom

——————————————————————————————

I will now describe and show how a friend of mine had their account hijacked. I’ll also keep adding other forms of scam attempts to this post/site as I come across them so you can look at examples and be prepared for when it happens to you.

——————————————————————————————

Incident 1 – Can You Vote for My Team?

It was the night before my first vaccination. I was still doing something on my PC, I don’t remember what, even though it was past bedtime, when I got a message from a Steam friend. I’ll call them Ingeborg. My brother, Ingeborg and I had met a month earlier on a TF2 rocket jump server and we added each other. We played together a couple more times but beside that I didn’t know Ingeborg that well. You can see the chat from that day in the images below.

The first cropped message from Ingeborg at the top is “hey u free rn?” or something. I assumed they just wanted to ask about playing a game of TF2 with me, as it has happened before. When they dropped the question about voting for their team and getting keys in return, I didn’t know what to make of it. I didn’t know of any competitive team they were in and I also didn’t know Ingeborg well or that alleged tournament at all. It also didn’t seem like they could just throw expensive keys around. I took some time to process the information and to think about what I should reply, but Ingeborg didn’t leave me much time to think, following up with “?” and “u here”. So I asked, feeling stupid for not knowing what they’re talking about.

Then, they also set a time limit of less than 30 minutes and kept asking why I’m not immediately replying or “voting”. I have to admit, I nearly fell for it. I want to help people and I can’t think clearly under pressure, especially when it involves other people. And, for the Permanent Record, I of course wouldn’t have taken anything in return for helping a friend. I wanted to tell them that but they didn’t even give me the time to type that. I had already put my name and password in the form, after a lot of thinking, but something prevented me from pressing enter, it just didn’t feel right. I had even briefly searched the web for that tournament and didn’t really find anything. But what finally made me realise that there is something wrong and what made me think clearly again was the border and title bar of that alleged pop-up window. (Edit: Thanks for 1 likes. I compared genuinely signing in through Steam on scrap.tf and it did not open a pop-up window, it simply completely sent me to steamcommunity.com. I guess that means pop-up Steam sign ins are always fake.) I already tried clicking on the HTTPS information earlier which didn’t work for some reason but which still didn’t make me 100 % realise that this is a fake site. Until I noticed that the title bar is a Windows 10 default light theme title bar. I’m on Linux and I use dark themes, the title bar should look completely different. I tried moving the window around and it moved choppily and I could only move it within the Firefox window. I checked the source code and it was true: It was merely an iframe within the site that contained a fake Steam login form from a different URL that’s not steamcommunity.com. This is the site in the iframe:

As you can see, it’s the Steam login form, but the address at the top is not a Steam address. I took a look at its source code and found that it was a lot longer than the original and also contained a lot of dialogue lines about removing the Steam mobile authenticator. This apparently didn’t come up when actually putting in password and username, but you should look out for fake sites telling you to remove your authenticator, they could get complete access to your account that way.

I confronted Ingeborg with this and they stopped replying. But they didn’t immediately remove me from their friends list, like that one time I was actually scammed. I wasn’t sure what to do now. Was Ingeborg really a scammer? Was everything we did together so far just to gain my trust to scam me? Like that one time I was actually scammed? The funny thing is that out conversation before this was about scammers. Some usual random scammer put a usual comment on my profile and Ingeborg warned me. But I believe in the good in everyone and I didn’t want to just assume they were a scammer without making absolutely sure. I thought about what else I knew about Ingeborg. They gifted my brother some items because he barely has any. They invited me to their Steam group. They subscribed to me on YouTube and put my channel on their home tab. Coincidentally, earlier that same day, I also took some time to take a look at their YouTube channel and subscribed. So I thought that me subscribing to them was the sign they were waiting for, signalling that I trusted them enough to fall for the scam. I checked their channel and I was still on their home tab and subscriptions. I checked their Steam group and was still a member. This convinced me that there really is a possibility that this wasn’t actually Ingeborg trying to scam be but that they’ve also been phished and someone else is now trying to also gain access to their friends’s’s accounts.

Ingeborg’s friends list and profile comments were now set to private, so I couldn’t comment or directly message their friends to warn them. But there was the Steam group. One other member was online, one with a Pokémon profile picture and I believe I also remembered noticing them on Ingeborg’s friends list because of the Pokémon theme. So I put a comment in the group and added the Pokémon person, who unfortunately had their comments disabled as well, so I put an explanatory message into my profile to let them know why I’m adding them. I warned them and asked them to tell Ingeborg that someone has access to their account, should they know Ingeborg better than me. On YouTube, Ingeborg had their Discord name listed. I tried to add them but friend requests were disabled. There was also an Instagram name. I technically don’t have Instagram but I made a test account a while ago to test a YouTube scam comment with a link to an alleged Instagram password hacking site. I logged in with that account, changed my profile picture to my real one, added an explanation to the bio and added Ingeborg. But they didn’t react. So I wrote a comment on a YouTube video. I think it took three attempts for the comment to pass the automatic spam filter. It could of course also have been Ingeborg deleting my comments exposing them for being a scammer. But the third castle stayed up. And a while later, they actually responded. I then tried to tell them to add me on Discord, that also took many attempts and extremely careful wording to get through. Not even my Discord tag with numbers spelled out and 1447 speak, as Jeremy 900 800 500 would say, went through, but a carefully camouflaged link to my website did. By then, they also messaged me on Steam, asking for help and asking me to temporarily take their valuable items to secure them. I told them to add me on Discord so I know it’s actually them I’m chatting with. As it turned out later, it was really good that they didn’t trade me their stuff.

Apparently, Ingeborg wasn’t home at the time and only had access to their phone. And they allegedly fell for the exact same scam a day before. The obvious first thing that had to be done was changing the Steam password. But it seems that the password can’t be changed in the app itself. So I had the idea that Ingeborg could log into Steam on their phone’s web browser and change the password there, which worked. We kept chatting and I kept researching. I still wasn’t sure if this was still part of Ingeborg’s ingenious plan to regain my trust to scam me again, but I believed in them. Eventually Ingeborg got home, and I stayed awake gladly until 3:47 in the morning, I… I sang as time went off. Because as long as menly men like me are prepared to give their time, a flower grows. And that flower, that small, fragile, delicate yellow flower, shall burst forth and defeat interwebs criminals. On the “next” day, the vaccine had a side effect of making me a little tired. Strangely enough, that side effect already started before the injection itself.

I also kept thinking about what the actual purpose of this series of hijacking accounts is. Ingeborg’s Steam wallet and inventory seemed to have been untouched but there must be some way for the criminals to profit off of this, if only to pay for the costs of the website and domain. On Vaccinator day, I finally found an article on https://forums.steamrep.com/pages/hijacking/ that explains it. When you give them your password and current authenticator code, they obviously get access to your account, but you still have the authenticator, so what they can do is limited. Apparently, they use the opportunity to create an API key that allows them to keep accessing your account even after you changed your password and they use it to immediately replace incoming and outgoing trade offers with ones that go to a fake version of your original trade partner with the same name and profile picture. You might then not notice the difference when confirming the trade in the app and give them your items, unknowingly and without them having to have access to or remove your mobile authenticator. A brilliant idea. You might as well check if you have any API keys which you usually shouldn’t, the details are explained on the steamrep link and in the “when it’s too late” section at the top of this piece of medium literature.

And the moral of this story: Always be careful, educate yourself on how they trick you and on digital security in the sense of safety, never assume you won’t fall for it, don’t shame people who fell for it and don’t feel ashamed if you fell for it. And always have an internationally approved technical support character on your team.

——————————————————————————————

Incident 2 – Simply Building Trust AKA Social Engineer

We write the distant year of 2016. Two… œ… six… one. Oh, I’m an idiot, I held the pen upside down. Never mind. I don’t recall the incident in as many details, but I still know the most important things. It started on a TF2 tdm_hightower community server, rocket jumping and Market Gardenering around. I don’t remember exactly how one of the other players started conversing with me, I just remember that they, I’ll call them Wincohn, added me, chatted with me and wanted to trade one of my items that was not yet tradable. We chatted over the course of multiple days. Eventually, we also chatted about bad things that happened in our pasts, like the divorce of my parents and how their dad allegedly died when they were young. And we comforted each other. They also asked me if I was religious at some point, I guess because religious people are easier to scam. When I took a look at their inventory, I saw TF2 competitive matchmaking beta passes. I don’t remember exactly how that worked, but I was excited about matchmaking and you could only get in if you have the beta pass item, but having it also gives you some invites to give to other people. So I offered to take a beta invite in exchange for the item they wanted. My item, a festive Rocket Launcher was still not tradable though, so they offered me to temporarily give them something else and they would immediately give me a beta invite. Since the beta invite is not an item, I had to trust them they would actually invite me in return. We were on the aforementioned community server again and they agreed to make our trade public to the server members so they could witness it and report one of us, should we not keep our side of the bargain. So we opened a trade and I gave them one cosmetic drop I didn’t need, one cosmetic I used and two non-strange festive weapons so I don’t lose my stats, which were apparently in total about equal in value to the Rocket Launcher. Right before the trade went through, they left the server, which I only noticed when the trade window closed. And they removed me from their friends list. No beta invite. I told the others on the server that we traded but he left before it went through and he scammed me but nobody cared. The chat where we agreed that I would get a beta invite was also gone. I lost my items and I didn’t even have proof that it was a scam and not just a gift or tax dodge. Steam rightfully doesn’t return scammed items, because the scammers of course immediately sell them and taking them away from the buyer would be unfair for them and giving the victim a duplicate would be easily exploitable, but getting them banned would at least prevent further scams. The worst part, though, is that everything they told me was a lie and only served the purpose of gaining my trust. Fascinating.

After it happened, I was of course sad and angry. But only temporarily. I don’t hold a grudge against them, I’ve long since forgiven them. Quite on the contrary, I’m even thankful because I didn’t lose that much virtual material value (like 3 $) and it was a valuable experience. I only hope that they have changed since then and don’t do this anymore. The comments on their profile are disabled to this day, not the best sign. They also don’t have a Steam or third party ban. Either them scamming was not a common occurrence or nobody was ever able to prove it.

——————————————————————————————

Incident 3 – Wanna Join Our Tournament Team? (Incomplete)

I got another one of those friend requests on Steam from a suspicious looking profile. One of those that have TF2 comp stuff in their profile description. This time, I accepted it to see what they would do, to document more methods used by interwebs criminals.

This account had 1200 hours of TF2 playtime. So it looked like they’re an actual player, or maybe a hijacked account. Their inventory was public as well, but nearly empty, not even regular weapons or anything. They were playing TF2 the entire time and when I checked the server they were on, it always said no server. I guess that means they just have TF2 open the entire time to farm playtime that is publicly and prominently displayed on their profile to appear like a real player.

I tried to go along with their chat but it didn’t go well. I even prepared my long unused Gibus Cap Discord account that I used to use to test roles on our server. But apparently, I asked too many questions. I was too eager to get a nice phishing link into my net. After that last message, they removed me from their friends. Next time, I won’t ask questions.

Updates Marked Along with 'Gamebook' (Webpage 1).

Colosseum crowds-- and the sponsors and also cash money that circulation from all of them-- remained hard-to-find in the professional pc gaming's early times. This has great performance (it ran any type of video game we tossed at this on Xperia Play), as well as possesses options to sound and restrain graphics if your phone isn't swiftly enough. I desire to receive the most ideal package possible and still enjoy activities after playing for at some point. Stephanie Garber is actually an astonishingly talented writer and this is a publication that pretty much any grow older will definitely love!! In the end, the first method educated me ways to make peace with my job, the creative thinking I produced right into the globe, and along with whatever the response to the book would certainly be actually. That is actually a major one. Stencyl now assists indigenous, hardware-accelerated Windows, Mac computer and also Linux video games that deliver exceptional functionality and a far better overall take in. The on-line leak from the very first 4 incidents of season 5, before their sky date, likewise resulted in a major hassle for HBO. Video games share much in common along with various other activities that are satisfying as well as fulfilling, yet may become unsafe in particular circumstances. When cooking for good friends, it is actually constantly a promise for excellence to rely upon recipes coming from this fantastic blog post:-RRB- Simply wanted to let you know. Similarly volleyball and container round don't arouse rate of interest in one though these as well are outstanding video games. That could all appear impermeable, however Human Resource Device resides in reality elegant, welcoming, and also friendly, certainly not minimum because of creator Tomorrow Firm's propensity for instilling activities along with personality and center. I merely obtained my initial ps4 console and this was actually the activity that came with it. I believed yeah, excellent acquired my ps4 and also my very first ps4 cod game. One likes points even more apparent and in your skin, the other is peaceful and also prefers a much more publication based learning. Time the ribs satisfactorily along with freshly cracked pepper and a handful of dashes of salt. The explanation for this old fashioned review is actually considering that a thousand other individuals have already created testimonials for this manual and also I'll bet that they possess currently claimed everything that I desire to say. You might have reviewed a manual of narratives on Google.com Works, or watched a tv series on Netflix. If you enjoyed this short article and you would such as to receive even more details pertaining to this link kindly check out our own web page. There is actually certainly that JA Huss can easily tell the heck out of a story as well as I've been actually a veteran follower, but this book brokened a little short for me compared with her various other publications. Which would be an invited addition to the Period 2 finale, since our team merely find out about the gate-keeper Edith staying certainly there, as well as much from Season 3 is expected to happen in Wellington. Remarkable: Was born in Zug, Switzerland while his father Ken played professional hockey there certainly. His daddy also played 266 National Hockey League games for Chicago as well as Toronto. Sibling Austin likewise bets the Lions. Uncle Gary additionally played in the NHL. Attended high school at Bev Facey Composite. Spent 3 seasons in the Alberta Junior Hockey League split between Grande Plain, Lloydminster and also Drayton Valley. The AAP suggests pair of hrs or even much less of complete display screen opportunity each day, featuring television, pcs, and video games. I will positively advise this book to anyone and also everybody which wish to go through a story that might possibly change the method they watch the planet. This activity is likely to become among the biggest parts of historic entertainment ever released. Headey, best referred to as Cersei Lannister in Video game of Thrones, mentioned having been actually placed in the shoes from a migration policeman as well as exposed to a script based upon real-life profiles off people working with the Office had attested her opinion that a change in mindset was needed to have. . The times of needing a souped-up COMPUTER to play the most effective online games are actually long gone. Elsewhere, starlet Carice van Houten, that participates in hag Melisandre uploaded a view picture from the personality as an aged female on Twitter, revealing the make-up that is actually made use of to produce the personality's accurate type as well as relatively confirming her gain for season 7. The end result is actually massively gratifying, and also a compelling reason to come back in to the game. The idea seemed to be to be busted in Season 6 after our team eventually got to see the Tower from Pleasure setting, and also there was only one infant presented: Jon Snowfall Yet, similar to Jon Snow, the idea may be actually returning from the dead. Yet even with that being just one of the all-time greats, there is actually a real kicker that is actually inconceivable to neglect: That is actually a five-year-old game. Activity of Thrones followers craving their personal Ghost, Nymeria or Gray Wind may in luck. Solution: When you are actually already playing the game in any type of degree, press the pause button and in the menu that comes up you will discover the Go To Space" option. Between its futuristic The planet and its own stunning dream arena, the activity is frequently having you to surprising new places. Yet just recently that was actually starring in Game Of Thrones, makinged him famous to millions worldwide.