Avoiding the Steam API Scam: Fake CS:GO Tournaments
At the height of the pandemic, naturally, I started playing more games online. The star of this blog is the game Counter-Strike: Global Offensive. I was really into this game and had started playing it very frequently. A couple of months into the game, I got into the skin market. I wasn't heavily involved in things like trading, but I occasionally would purchase a new knife skin (which was always no less than $100) and other skins of value in-game.
These skins are a huge target for scammers. Since most people have their Steam inventories public, to showcase their skins, this offers the scammers an easy way to filter out targets and start their campaigns. Once the scammer has received the victims' skin(s), it is extremely easy for the scammer to exit and sell the stolen goods through a variety of different ways; skin trading websites, p2p forums/discord platforms, individuals buying up skins, whom all provide an easy way to offload the skins for money, usually in the form of cryptocurrency.
There are too many different methods scammers can choose to try and steal someone's skins, but one of the more common ones are using by stealing a victim's Steam Web API key, which grants the hacker the ability to make trades on your behalf, which is how they steal your items. They send a trade offer, which has your items, to their catch account, approve the offer, and it is gone just like that.
If you are not too familiar with this, I recommend watching a video on it, which I can link here:
Now that we have context, let me tell the story about the time I encountered one of these scams, and almost fell for it.
On October 7th, 2020, at 11:35 AM, I was messaged by a random user on Steam. I do not have screenshots for this first encounter, but this actually happened to me twice, where I was able to then take some screenshots.
I still have some messages from when I was telling my cousin about it. It goes/went like this:
- The attacker asks you a question about your rank (skill group) in csgo, and starts talking about their own. They usually say a rank that is higher than yours as well.
- They may say that they have recently played in a match (either with or against) with you in it, and that's why they are asking you.
- They say something along the lines of, "we need one more person on our team to play in this tournament. Our team name is "Team One", and I wanna know if you want to play with us!"
I was somewhat suspicious at this point. Why would someone pick me to play in their tournament? I am a much lower rank than them, so why would they want me? I was talking to my cousin the whole time on Discord as this was happening, and even said, "which I can understand cause, ive had some very insane comp matches recently".
On CS:GO, they have a tab next to your profile where you can see 'Recent Teammates'. Anyone you have played with recently that was on your team, will show up here. So I checked this, and I did not see this individual at all.
At this point, I was even more suspicious, they had to be on the other team in any of the games, and why would they ask an opponent as well? I ended up asking how they found me, "i asked how he found me and he said he played against me".
4. They link you to a website that looks 100% legit. The first time, it was named "hyperxcomp[.]com". It looks like a normal tournament website that has the bracket, it had many different teams all with their different players, and everything was checked out. It was also using hyperx's branding, and was actively impersonating them.
They even have more ways to seem legitimate, like a Twitch Stream that runs showing the countdown until the tournament matches begin. However, the Twitch stream is just a countdown loop that streams 24/7, so the scam can always be working. No matches ever begin. In the second attempt of this scam, this was the real Twitch account used, which is now suspended: https://www.twitch.tv/rankedxtournament
5. Here's where the real scam comes in. To join the team, you need to authenticate on the website, which you do so by logging in with your steam account through the Steam API. Many websites use this for real, legitimate profiles, but this is a case where it is used for malicious purposes.
6. Once you fully complete that sign-in, you can wish your valuable items goodbye. That completes the scam.
Fortunately, I never made it to Step 5. I knew the risks using Steam Sign-In had, and I wasn't convinced enough to do it. I still questioned whether or not it was legit, so I decided to call hyperx- "im gonna contact hyperx support...to see if its legit."
I called hyperx support and asked if the hyperxcomp[.]com website was actually the work of hyperx and was legit. After explaining a little bit, and waiting a little bit, the employee came back to me with the news that it was not an official hyperx website. "just called the support - the dude said that website is not on their list"
This obviously sealed the deal for me. I had confirmation the site wasn't legit, and would not be signing in. At this point, I probably was messaging back talking about how I know your scam and just going off on them.
But this really honestly surprised me. It was extremely interesting to see how much effort (or how little effort when you think about it) it takes to run one of these scams. I also wondered how many people could have fallen for this already, as I have never seen this scam talked about previously by any CS:GO YouTubers or influencers.
...and then it happened again. Only 1 day later, on October 8th, 2020, at 8:04 AM, I received another message.
The exact same scam was being played on me, however from a different domain. You can also see the Twitch Stream linked about that I mentioned earlier.
The funny thing is, the website was exactly the same as the previous fake hyperx one, obviously just with different branding applied. I told my cousin, "yep its literally the same website as last time."
This goes to show how easy this scam is for the attackers. They can rinse and repeat their websites as much as possible, simply purchasing a new domain and just changing a few images on the website.
After this all happened, I would periodically check up on the websites to see if they were still up. 2 days later, I checked and saw the original site from the first scam had a security notice and was eventually taken down for good
This was 100% a learning experience for me. Previously, I have never come so close to falling for a scam as I almost did for this one. It really opened my eyes and helped me see how creative attackers can be and how their processes and procedures work, even with something "small" like CS:GO. You can only imagine how much more thinking and creativity goes into even bigger plots in the "real world".
I'm writing this blog because I wanted to share a time I almost fell for something. Something that, as I mentioned previously, I have never ever seen before and still have not seen talked about today in the CS:GO space. It's important that we can look back on our experiences like this, so we can learn from them and apply them to any other situation we may face in the future. I wish I could only have this happen to me again, so I can do an even more in-depth dive into how something like this works, rather than this surface-level report. I hope you enjoyed this reading.