Disclaimer & Licensing Information:

This documentation is not meant to be used as a guide. Specific code for things mentioned herein is not, and will not be provided. Some portions of this documentation may include slight speculation based on facts and evidence as I understand them. I will try to include as much information as possible, as information deserves to be free and publicized.

Permission is hereby granted, free of charge, to any person obtaining a copy of the information contained in this document (the "Information"), to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Information, subject to the following conditions:

  1. The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Information.
  2. The Information is provided "as is," without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement. In no event shall the authors or copyright holders be liable for any claim, damages, or other liability, whether in an action of contract, tort, or otherwise, arising from, out of, or in connection with the Information or the use or other dealings in the Information.

By using the Information, you acknowledge that:

  1. The Information is provided for informational purposes only and does not constitute professional advice or create any professional-client relationship.
  2. You are solely responsible for the use of the Information and any consequences or results arising from such use.
  3. You shall use the Information responsibly and in compliance with all applicable laws and regulations.
  4. You shall not hold the authors or copyright holders liable for any misuse, misinterpretation, or inappropriate use of the Information.
  5. The author does not guarantee the accuracy, completeness, or timeliness of the Information, and it may be subject to errors, omissions, or change.

1. How does a Steam API scam work?

Theres a large misconception on how current Steam API scams work. I believe this misinformation to be spread via content creators misconceptions and dated views on how these scams work. Within this documentation, I hope to provide the information I’ve gathered in a means that is descriptive and understandable for all audiences, developers or not. I also hope to break the misinformed bonds that seemingly hold this scam together. I’d like to state that the advice given by creators such as Anomoly and Hey Zeus to prevent and handle these scams is appropriate and can be helpful, however It’s clear to me that they (and mostly everyone) has a severe misunderstanding on how API Scams work, along with Steams OpenID login process and how Steam sessions works. This will all be uncovered in the following documentation. I highly encourage readers to look more in depth at the linked resources within the document in order to gain a deeper and more nuanced understanding.

First, lets gain an deeper understanding on how these scams actually work, then we can delve into the misconceptions that surround this scam, which seemingly are portrayed and extended through minsinformation and dated information. Here are the steps in which a large majority of API scammers follow to initate an API scam:

  1. A scammer, usually a bot account, initates conversation via steam. The point of this conversation is to get a victim to click and login to a fake login site (phishing site) that the scammer sends the victim.
  2. When the user logs on the site, a fake login window/popup window will be displayed. We can tell that this is a fake popup based on the HTML code. In the graphic below we can see that the legit-looking url within the popup is actually just inputted manually as text in the html code. This text can be changed to anything with no affect on the actual contents being displayed on the popup.

Untitled

  1. When inputting purposefully bogus (non accurate/correct) data into the username and password fields, it’ll actually display that the information isnt correct, similarly to a legit login attempt. This is VERY interesting as if it were truly a fake implemention of steams login, it wouldnt be able to confirm whether the entered data is accurate or not. I ran this finding over with a user named mixa. He had the idea that the credentials inputted on the site are parsed through a legit Steam OpenID login† on the sites backend servers. This makes complete sense and actually corroborates with [reconnaissance](https://www.tutorialspoint.com/ethical_hacking/ethical_hacking_reconnaissance.htm#:~:text=Information Gathering and getting to,information about a target system.) I had done on the site using Charles Proxy, a HTTP proxy that allows one to see all web (HTTP-based) requests from a website or program running on your computer

    † Steam uses OpenID to login users to third party sites, this OpenID login library is managed by and through steam. The third party site utilizes Steams OpenID by sending the correct requests to the correct endpoint URL “https://steamcommunity.com/openid/”; the OpenID login isnt managed by the site. Only a legit Steam OpenID implementation can differ/determine whether a login attempt is, or isnt, valid. Session cookies are sent to a site whenever a login attempt is initiated. A valid login attempt will typically send a unique identifier for the user to claim (not an API key) this identifier contains the users Steam UserID (”SteamID”); typically formatted as follows: “http://steamcommunity.com/openid/id/<steamid>”. This SteamID then can be used to get profile and persona information (such as profile picture, and public account details like profile name, location, real name, etc) through legit requests to steams API endpoint (this is commonly done for basically every legit site which uses Steam login). While a non valid login attempt will send back a error in authentication, this error may differ regarding the exact implementation of the OpenID login. More information regarding Steam OpenID library and login/auth process can be found here.

  2. The sends the credentials from the login site to their backend; this information is either read as valid, or non valid via the legit OpenID implementation. Using Charles Proxy, aforementioned, we are able to see a POST request from the website, likely to the sites database in which login credentials can be stored and parsed through the OpenID validator through the sites backend server code.

    charlesRequest.png

  3. The sites legit OpenID validator setup on the the sites backend will confirm whether the credentials are valid, or non valid. This is then sent to the real-looking login page, making it seem as if the login page is legit by updating the HTML code of the site (likely using DOM manipulation to create dynamic and updatable contents to the page) to either dynamically display the next step (entering in 2fa code), or stating that the login credentials are incorrect, portraying that of which a real login page would do.

    1. In simpler terms, the fake login page acts as a messenger between you and the attackers. It makes you think you're logging in, but the actual verification is done on the attacker's server, not the page itself, giving the impression that the login your viewing is a real one.
    2. Think of this as behind the scenes, the website's servers are acting as the real login process they have access to everything you type in. So, when you enter your username and password on that fake page, it's not actually the page itself that handles the login. Instead, the backend servers running are checking if the credentials you entered are valid or not via an actual legit OpenID login that the fake site controls. If you enter incorrect information, it's the servers, not the webpage, that determine whether the login is valid. This trick makes the login process seem real, allowing the attackers to obtain your two-factor authentication (2FA) code. The login page you see is nothing more than text and images with no real logic behind it, the actual logic and “testing” of the credentials are being handled by the scammers backend server, the page displayed to a victim is acting as a middleman between you entering your credentials, and the scammers server confirming them.

  4. From here, the scam can take another branch in ways of accessing your account, to better understand this, please read section 1.5(a-b) in completion.

    1. Without the Steam Mobile Guard active (using email for the 2fa):

      1. First, the bot will login with the credentials you provide them through the fake login, the bot loging in will initiate steam to send a confirmation that its truly you logging in. The fake login will tell you to check your email and provide them with the 2fa email code. The email will look something like this- note the Russian IP.

        The IP is most likely from a proxy service and doesnt mean anything.

        The IP is most likely from a proxy service and doesnt mean anything.

      2. Basically, the scammers hope to trick you into thinking that you are truly logging into steam on the site, while the login on the scam website is fake and they are actually just using the credentials you give them to gain access into your account.

    2. With the Steam Mobile Guard active (using the mobile guard authy as 2fa):

      1. Similar steps will follow, just instead of email auth the 2FA code will be through Steam Guard. This Steam Guard code only lasts a few seconds, though its enough when this code is being automatically copied and mimicked by the scammers servers. Similarly, once the 2FA guard code is put in, the scammer will create a session bot and login to the account. This account is now connected to the scammer and can be controlled through the bot.

      Note: This “bot” isnt really a bot account, but moreso a script that leverages the use of your credentials and session login cookies, sent through the login process. This session is then used by the scammer to maintain a login on your account which allows them to control your trades (the scammers script creates a maintained login session to your account). This session created by the scammer can be terminated through deauth of devices, changing password, and another deauth of devices.

The only thing that can remove the bot’s access to your account is changing the password to your Steam account and deauthorizing all devices. To be safer, I would highly reccomend first deauthorizing all devices, then changing your password, then deauthorizing all devices again. it is not a good idea to immediately change your API Key in this scenario, since legit services rely on this API Key to correctly function, and the API key is not a vulnerability for this scam to work. As will be mentioned, you cannot be scammed through it.

With the scammers bot now having access into your account, it not only can decline trades automatically, but it now also has access to every aspect of your account that doesnt require additional 2fa authentication- eg: changing password, removing steam guard, etc,.

1.1. Additional Information Regarding Steam Sessions

This section was written after finishing the document, this may contain more in-depth information than some of what I mention in other sections, as I now have a even deeper understanding on how this works.