What is the Steam Web API scam and how to protect your CSGO skins?
As the Counter-Strike: Global Offensive (CS:GO) skins economy flourishes, bad actors are bound to exploit any possible loopholes for their gains
Ever since CSGO introduced the CSGO skins economy in August 2013 through their “Arms Deal” update, it has caught the attention of the gaming industry for its success in monetising in-game virtual items for real money. Many popular game titles have attempted to replicate the monetisation model found in CSGO and other games such as DOTA 2 and TF2 on the Steam Market. Unfortunately, the opportunity has also bred a group of scammers who are increasingly looking to target the CSGO community and their valuable CSGO skins.
Although various measures have been put in place by Valve to remove suspicious users, as well as to identify phishing methods used by scammers, everyone in the CSGO community including experienced CSGO skins traders can still fall prey to such scams.
Steam Web API Key scam is one of the most commonly used methods by scammers to steal users’ CSGO skins. However, with sufficient knowledge and precautions, you will be able to prevent these bad actors from messing with your Steam account, and subsequently your CSGO skins collections on your account. To better understand what the infamous API scam is about, we have prepared the following information for you to identify and implement the right measures for your account, moving forward.
- Understanding the API (for non-technical users)
- How does API work in Steam?
- What is a Steam Web API Scam?
- How did I get Steam Web API Key Scammed?
- Prevent API scams and Protect your CSGO skins
- What should you do if you have already been scammed?
Sell CS:GO Skins for PayPal Instantly!
Understanding the API (for non-technical users)
Application Programming Interface (API) is a computing interface widely used by online businesses and large corporations these days to enable interactions between multiple software intermediaries. It can be used for their customers or for internal use.
It helps to think of them as the “engine under the hood,” and the backbone of the connectivity that our hyper-interconnected society has come to rely upon for the past decade. Therefore, it is not surprising to find Valve using API for a variety of reasons in its ecosystem.
How does API work in Steam?
Today, we are living in a digitally-connected world and are increasingly dependent on the Web for a lot of purposes. From food ordering to acquiring knowledge, we are heavily reliant on technologies that make things more productive and convenient for us. If we are to visualise how the Web looks like, it would appear as a large global network of connected servers that exist to process every data that occurs on the Web. For instance, every page on the internet is stored somewhere on a remote server that is optimised to process requests. When you type www.SkinCashier.com into your browser, a request goes out to SkinCashier’s remote server. Once your browser receives the response, it interprets the code and displays the page.
Hence, to the browser, also known as the client, SkinCashier’s server is an API. This translates to your interaction with some remote server’s API for every time that you visit a page on SkinCashier. An API is a part of the server that receives requests and sends responses.
Whenever you buy or sell CSGO skins on third-party marketplaces like SkinCashier, the marketplace will require you to connect your Steam account (ie. Login with Steam button) to the platform. To facilitate this process, a Steam Web API is used to connect your Steam inventory to the marketplace’s platform.
What is a Steam Web API Scam?
Now that you are more informed about the meaning of API, let us delve deeper into the tactics used by scammers to steal your CSGO skins. As mentioned earlier, the Steam Web API Key scam is probably the most infamous scam seen in the CSGO community. This scamming method used a phishing website with the fake “Login with Steam” button. A phishing website often impersonates the website that they wish to target, and are designed to look almost identical to the targeted website (e.g. SkinCashier.com).
Lately, we have received a handful of requests daily from our users who lost CSGO skins as a result of this scam. Users have reported that they have found a website via the Search Engine with what appeared like a genuine SkinCashier website, including a convincing “Login with Steam” button. The attack happens when you login to your Steam account with this login button, wherein it prompts you to input your username, password and 2FA code. The hacker’s script then uses your input data to login to your Steam account and access the Steam Web API key on this link.
Once connected successfully, the hacker’s script will be able to track your trade offers, especially those with valuable CSGO skins. Finally, your trade offers will be masked with a fake, similar-looking offer, while the hacker would have your CSGO skins transferred to their account.
How did I get Steam Web API Key Scammed?
According to several accounts reported by affected users, scammers have succeeded in tricking users to the phishing website with a highly convincing phishing website that imitates the original UI of the authentic CSGO skins marketplace website.
Before they launched these attacks, they usually have identified their potential victims through SEO tools such as keyword research and analysis in order to collect information on popular CSGO skins marketplaces (e.g. SkinCashier) most frequented by CSGO players to sell CSGO skins.
These bad actors may convinced their victims by optimising their phishing websites to rank at the top of relevant keyword search results, and make use of an almost identical URL address (e.g. SklnCashier.com) like the authentic website’s URL (e.g. SkinCashier.com). Normally, users who access the website through a Search Engine (e.g. Google, Baidu or Yandex) may not notice the difference in the URL, thereby leading them to the phishing website.
Prevent API scams and Protect your CSGO skins
Based on the above information, it can be seen that unknowing users may not be aware of the “booby traps” set up by these hackers, since the entire process may appear like a legitimate one. Fortunately, you can still prevent these mishaps from happening to your Steam account by staying vigilant online and verify the CSGO skins trade process, from start to finish. You may find the following steps crucial to build up your first line of defense against these scammers.
Access the URL of Trusted Websites and Authenticate via Steam
As long as we are exposed to the internet, we may become a target for online scammers at any point of time. Hence, do not take any risks with your valuables and ensure that the URL of your Steam Login page or CSGO skins marketplace is correct. It is also best to validate the URL of the website that you are accessing from a search engine.
Regularly change your Password and Steam Trade URL
Develop the habit of making regular changes to your Steam account password and Steam Trade URL to prevent anyone from tracking you and your transactions. Changing these credentials can also terminate your current online session on Steam across all devices connected to your account, and block any scam bots from accessing your account, if any. For your password, it is suggested to use a combination of Uppercase, symbols and numbers to increase the strength of your password.
Additionally, it is not advisable for you to input your login Data via the “Login with Steam” process. You should keep an active session in Steam and the “Login with Steam” button should just redirect to the Steam website for automated verification over there.
Change your Steam Web API Keys often
While you may not interact with your Steam Web API Keys often, as a buyer or seller of CSGO skins, you should make the effort to visit your user’s page on Steam and re-generate a new API key whenever possible. Similar to your password, develop a habit to change them regularly so as to prevent any possible exploitation by scammers.
Verify and Validate your Sent Trade Offers
Finally, as we cannot emphasise enough – Check and Validate your trade offers at all times. Ensure that the trade offer is indeed processed from your chosen CSGO skins marketplaces (e.g. SkinCashier.com). Also, you may wish to check your trade history to see if there is an identical offer that was unknowingly cancelled by “you”. If that is the case, it is very likely that your account is accessed by scammers.
In order to prevent any future mishaps, activate trade confirmation via your mobile phone or trusted email address. By doing so, your requested trade offers on SkinCashier can only be processed via your mobile phone or email address.
What should you do if you have already been scammed?
It is the sophistication method used by these scammers that they are able to trick many users into giving up important information on the phishing website. Unfortunately, in spite of the rampant scam activities happening in the community, you will be unable to recover your stolen CSGO skins. You may report the hacker’s Steam account and this account will be banned by Steam, but your CSGO skins will not be returned to your account.
Unlike filing disputes in the real CSGO skins marketplace, there are no real remedies towards such attacks except to send complaints to technical support services. Therefore, it is of utmost importance to secure your Steam account whenever possible. As CSGO skins gain real money value, it will be subject to more attacks as scammers are eyeing your prized possessions for their selfish gains. Hopefully, our recommendations above are sufficient enough for you to implement in order to trade with a peace of mind on Steam or on SkinCashier. Treat your CSGO skins inventory like your savings account or investment, and do not let these bad actors get in your way for a wholesome CSGO experience.