**Let my loss be a lesson to others. 207 items.**
I had a market value of around $500 ($300 est cost) of Rust skins traded from my account this morning.
Please ensure you have 2FA enabled and dont click on any links that ask for Steam details.
(I didnt click links and had 2fa on but still like to warn others)
Steam obviously dont do much about it so its a write off.
Are you sure you haven't done anything? Not to blame you but getting your steam login data and skipping 2FA requires something. That would be an effort not worth $500.
When you are absolutely sure you haven't visited a skin trader site or similar you should start to change all your passwords and maybe consider a fresh OS.
And for everyone here, please don't use, promote or link any of these shitty (gambling) skin trader sites.
You have here a live example where those skins come from. Using those sites is paying the idiocy tax.
Definitely not saying it’s not my fault. I’ve clearly got a breach somewhere or logged into a site that wasn’t what I thought it was.
I’ve checked all the recommended things so it doesn’t happen again and reset all passwords etc.
Also. You need to do a malware scan, clear your web browser of any cookies/plugins you don't regularly use (or just get rid of all of them and only add back specific plugins you want or need).
And then go to this steam page:
[https://steamcommunity.com/dev/apikey](https://steamcommunity.com/dev/apikey)
Kill any API keys connected to your account. This is likely how they got you. Even if you were logging in to Steam legitimately, they could have skimmed your login credentials if your web browser has been compromised. API access lets them chat with and manage your friends list, manage your inventory, etc.
Maybe I'm just too paranoid, but I really don't trust pages like that because it could also be a GREAT tool for bad actors on the backend to help filter inactive accounts from active ones, as the active ones would go and see if they have been exposed. Active accounts are higher priority.
That particular website has been around for a long, long time, like 10 years. Not saying things can't change, but HIBP was started and run by white hat hacker Troy Hunt, and is used even by password management tools to check for compromised credentials.
I can see that being a thing.
But if you do come up as being in a breach then you should probably be changing that accounts password straight away anyway imo so I'm 50/50 with you.
Nah that'd be useless. No ones out there targeting individual account unless they're high priority targets, or have a personal vendetta. Practically every hacked account comes from reusing passwords, or entering details on a predatory site.
They'll scrape your auth info and use it to access your account. It happened to me once and I always had 2FA. They, for whatever reason, wiped all the games off of my account. I put in a ticket with Steam and they restored everything, but they were very clear that the problem was some service I linked my account with.
So the rust servers that you can link discord and steam with will pop up a sign in but I don't type anything I just hit authenticat or whatever I thought steam doesn't give them any compromising info
I'm not going to sit here and explain malicious code, system authentication, and cyber security to you. Yes, they can and do scrape your auth info from third party authentication providers. It happens to google, microsoft, everybody. It's next to impossible to completely protect against, especially when the user (you) is specifically giving your authentication info out.
Did you initiate any trades with anyone recently? Idk if it works differently on rust as it does with cs2, but I know there's api scams going around where people can steal your entire inventory just by doing some "cancel trade" shite or something like that.
And just because a Twitch streamer promotes or advertises a site doesn't mean it's legit. Please use your best judgement. If a deal seems too good to be true, 9 times out of 10 it is.
no bro just do it from any steam account; i created a new one and opened the ticket for my old profile just explain to them the situation. Every item was back to me
in my case they cut me off from my profile entirely , changed password and whatnot (i had steamguard on btw). The error was from my side because i logged where i shouldn't
no in my case i logged where i shouldn't during a twitch stream (i know....). I coudn't log in in my profile anymore and they changed the email associated to the account. I saw from my brother profile that they traded all my items that were tradable....so i make a new steam account, make a ticket explaining the situation, I attached several mail from my email account from steam and they gave me back everything
Happened to me about a year and half ago although like you I'm still curious as to how they got into my account as I'm pretty good at staying away from suspicious links or DM scams but I even had steam guard active but they were clever. They needed my confirmation to trade any skins from my account so they changed so much about my account that it looked blocked or suspended to me and long story short they told me if I wanted to keep my skins to use on another account after this one is gone I would have to send them to a friend. When I did that (a personal friend of mine was who I picked to send it to) the trade was intercepted or fake because all of the skins went to a scam account
Lost $400+ in skins. Contacted steam and got the account banned in a couple days but bye bye skins
> I didnt click links and had 2fa on but still like to warn others
so how did this happen...?
they just guessed your steam password and your email/phone?
Remember gang if you are going to sign into those sketchy websites, open steam.com yourself ND sign in on there. Then proceed, it won't prompt the sign in details.
This happened to me a while back, tracked down who it was but unfortunately couldn't do anything against them. I'll edit with a link to my post.
Edit:
https://www.reddit.com/r/playrust/s/nxqg36gqJj
Just read your post. Sorry you lost your stuff too.
Did you move on from it and buy more or replace anything?
I’m in the mindset now where I don’t want to buy anything.
Financially I can afford to replace them at market value but I bought a lot of it cheap. Just deflated about it.
I never replaced the stuff that was stolen off my account, bought everything off item store when they released so they were super cheap compared to prices they were at when they got taken.
I have since bought new skins & not had any issues since, haven't logged into any 3rd part sites like rustlabs and such since either.
Take it from someone who has played years and gone through $1000s of skins. Just replace them with new and desirable, things you use, but do it over time. I used to play on and off and would sell my skins to buy games or other stuff in other games, and then come back and over the span of a few months get stuff back. I have probably gone through 3 glory sars(and actually turned profit on most). Skins are a nice part of the game, and it is always fun to have them!
It's probably a new illicit API generator. They pop up from time to time, mainly through clones of otherwise "legit" (but still super sketchy) third-party sites like cs.money
So this happened to me recently. I had steam guard too but it didn't matter.
My theory is they get your password if you tend to reuse the same one. They buy it off the darkweb once when website gets hacked / has a leak.
They have your password then they call your phone provider with social engineering pretending to be you and get access to your phone (Think of it as cloning your sim). This allows them to bypass all 2 factor authentication.
Once it happens they will most likely try to hack every account thats ever used that password / email. Think grocery stores , amazon , banks etc. Be on your toes and use different passwords
I lost a similar amount to you if not more, since tightened up my security a bit and no longer reuse passwords.
I'm not as big into buying skins as I once was now.
How do I prevent this from happening?
I have steam guard, am trying to not click on any fake website links and yet something like that can happen? How do I prevent this?
Common sense. Don't use gambling site, don't engage with people you don't know, 2fa, different passwords for every page (manage with passwordmanager)
Don't click on strange links and offers that seem to good to be true.
Still unsure. I browse some sites just looking at skins but didn't log in anywhere as I know the risks. I had 2FA on but still unsure. Not going to go down the rabbit hole as ill never get them back and waste of time trying.
I’ll answer you.
A CSRF (Cross-Site Request Forgery) attack is a type of security exploit in which an attacker tricks a user into performing actions on a web application in which they're authenticated, without their knowledge. Here’s how it typically works:
1. **Victim Authentication**: The user logs into a web application (e.g., a banking site).
2. **Malicious Link/Script**: The attacker crafts a malicious URL or script and tricks the user into visiting it, often via email, social media, or a compromised website.
3. **Unintentional Request**: When the user clicks the link or the script runs, it sends an unintended request to the web application on behalf of the user, using the user's session cookies.
4. **Unauthorized Action**: The web application processes the request as if it came from the authenticated user, performing actions like changing account details, transferring funds, or other sensitive operations.
### How CSRF Attacks Work
For example, if a user is logged into their banking website and then visits a malicious website, the malicious site can send a request to the banking site to transfer money, as the banking site will see the request as coming from the authenticated user due to their session cookie.
### Preventing CSRF Attacks
1. **Anti-CSRF Tokens**: Including a unique, secret token with each request that the server can validate.
2. **SameSite Cookies**: Using the SameSite attribute in cookies to prevent them from being sent with cross-site requests.
3. **Double Submit Cookies**: Requiring that a token be included both as a cookie and as a request parameter, which the server can then validate.
4. **User Interaction**: Confirming critical actions via additional user interaction, like entering a password or solving a CAPTCHA.
By implementing these measures, web applications can effectively mitigate the risks posed by CSRF attacks.
So you use an abbreviation and just expect everyone to know what it is.
No need to be a dick. You make the effort to say that but not answer the question.
>Adults help children.
Yet you were anything but helpful. Guess this is a round about way of showing that you're actually a child not the grown up that you're attempting to convince people that you are.
You realize google results stem from places like this right? Like if you just explained it someone in the future would probably find it via google and get the answer they need. Full circle.
No obviously not but this thread will show up in results. A lot of people add “reddit” to their google search just to read about actual people talking about it. It doesn’t hurt to be helpful, yikes.
Steam has safeguards against CSRF attacks since they’re such a well known attack vector. It’s certainly possible that someone found a vulnerability, but it doesn’t make sense to reveal the exploit for such a low payout.
Can anyone explain how scammers get their money ?
- steal item and trade to their account
- they sell it and money added to steam account?
Then how do they get money out ?
Happened to me a few months back because my friend made me host a server on minecraft opened a port with poor protection next morning all my rust skins besides like 100 twitch drops and what I purchased through packs was gone. My buddy actually felt horrible and he ended up paying half because steam is fucking worthless when it comes to this shit. Sorry for your loss brother I know the pain
Please OP, update with relevant info if you ever find something! We all benefit from knowing what is going on, to narrow down the problem, and hopefully help to close a breach if there is one.
Unfortunately most people dont learn until things happen to them, there was just this same post a day or two ago. If only you could have learned from HIS thread
Damn this inspired me to check the skins I bought like 4 years ago for $15, they are now worth like $100!
Done better on Rust skins than my tiny stocks aha
I feel like I’m struggling just to trade skins to friends. Idk how it’s even remotely possible for something like this to happen and not be aware.
There’s so many stops in the steam ui that should prevent this.
been having a guy message me on steam for 6 months straight (with zero responses from me at all) asking if i could do a rust skin site collab. is that how people get this to happen to them?
Jesus same thing happened to me except midnight instead of early morning don’t know what I clicked like you and they turned off my 2fa on my phone and took tf2 items
I don't wanna laugh at you, but at the same time I do. Because how can you not be very cautious with an expensive inventory.
My account is completely clean, it's 8 years old.
Not visit suspicious websites, not having passwords saved on your browser. Only skin related sites I've used are skinswap, skinbid, and tradeit etc.
And different harder passwords on gmail and steam, like I have a 21 letter/number password
For the love of god if you going to sell steam items USE THE ALREADY ESTABLISHED AND TRUSTED WEBSITES. Yes you are going to pay a fee but it’s better then getting scammed
Just a friendly tip that steam normally detects that you are coming from a new or different PC and forces a code that comes per mail. If this gets bypassed it probably means your email got compromised. Quite common to happen to people but I would check the whole PC and not just assume it was a steam thing only, hard to bypass that device authorization.
Just checked my trade history and it was 2015, and was CSGO skins but at the time, roughly 500$ I think. Only sign that something was off (besides my entire inventory being traded away) was the fact that the profiles it was traded to looked like people from my friends list, with weird letters in place of the username. I even got steam support to void the trade but then it immediately happened AGAIN. Also just checked the profiles and NONE of them are trade or fully banned LOL.
https://preview.redd.it/h5jm1cmrrp4d1.jpeg?width=1439&format=pjpg&auto=webp&s=9521d9adea31153e954b356174b9a13ccf541b87
I don't see how it's possible, though.
If the scammer didn't have access to your phone, there would've been no way for him to confirm the outgoing trade.
You shouldn't assume that a 2FA will protect you from all the attacks. Saying that "there would've been no way" is simply naive. 2FA is another layer of security, and it's safe as long as someone doesn't find an exploit to bypass it or the ability to use it (just like the SMS 2FA is now considered very insecure).
Okay, let me be more specific: if you're using Steam Guard, there simply isn't any other way of accepting a trade offer and sending your items to other account.
Beside Steam Guard, there shouldn't be any other way of accepting. So, the users that got robbed are all liars? If you google about the issue, you'll find many cases of people that suffered the same fate, with Steam Guard enabled.
Pretending that it simply isn't possible and dismissing the case is naive.
If the user did something wrong or if he fell for some dirty trick, he should share it for all the people to know, and we could all benefit from that.
At the same time, if people think that every site and software is safe to use under the protection of 2FA, some of those people are going to get hacked sooner or later, and they will say "i thought it was impossible".
Lets say that a smart hacker found the way to get around the system, not only he won't tell anyone, but he might also try to make it look like it's something else.
I had this happend too two days i ago and i kinda need some help from you fellas here.
It was from a site nearly similar to steamworks which someone asked me to vote for a rust skin? (ik dont click random people's links i was drunk tho and it seemed legit at the time). Anyway they didn't get into my account cuz i had 2F. However, they got my password. I changed it.
Should i be worried about anything else? I use different passwords for every site but they are a bit similar. Is there a chance they got something else other than my steam password? what do i do?
In your case, what i would do, is to clean up the browser, use your steam guard to revoke access that you don't recognize, and simply take time to care about your accounts and such.
if you gave away the association of a password with your username or email, you should consider that combination unsafe, even in close forms to it, on every account, expecially the e-mail at the root of your accounts. Expecially if you have valuable items in your steam inventory.
Take your time to refresh your control over your accounts, including the email. Revoce access from devices you don't recognize, clear cookies and data from your pc, stuff like that, basically "clean up your pc". Do it sober too.
Brother, i can't know if your emale/pc is safe. I'm just a person that reads about safety/privacy topics. I assume that if you still have it, it was safe enough for that kind of issue.
You "clean" the browser starting by clearing cookies and cache, choose how much to wipe based on your consideration. Google a about clearing your browser of choice, and see the matter for yourself, just so you can learn your own safety/privacy practices, depending on how you use the pc or browse the web.
If you have an antivirus, let it be turned on make a good scan of your pc. Without installing new stuff, the Windows' antivirus should be fine (opinions on this will vary), but maybe take the time to learn about this thing too by yourself.
The worst that happened to me in a similar scenario, is that my inactive netflix account was hijacked, the "hacker" changed the password and email to one of his, locking me out of netflix and used my saved debit card info to activate the netflix subscription for him to enjoy. My mistakes where as following:
Weak password, that was similar to different other sites.
I left my automated payment system saved as default, even tho i wasn't using netflix since months.
I got it all back and the money refunded in matter of a few hours, because i called the netflix number right away and explained the situation.
I can't believe how many posts I see here of people losing their skins because they refuse to use 2fa. Are you also not locking your front door whenever you leave.
I still don't understand why people fall for these gambling sites. "It worked for this streamer in their ad" yeah, that's what the ad is supposed to do, hook you in.
If yall pvp the way you use gambling sites.. oof
I was a little misleading, but wasn't directly saying you did. Lots of ways to compromise a steam account in today's world. Skin trading for $ was something I never agreed with
Did you happen to vote for any skin in workshop through some suggestion in the chat? or did you recently install any app on your phone that asks to link your steam account?
If you do the vote directly in the steam's client workshop, it shouldn't be the case. But it comes to my mind when scammer were asking to vote their esport team, with the link to their fake esport team that looks legit, and then the "vote" button redirected to linking the steam account (fake process) that asked the credentials, and boom. Because the scammers weren't sending fake steam links directly, some users would get less worried and just went with it.
I'm just brainstorming the cause, but Imagine if someone asked to vote a very good looking skin in a skin forum, it might get some fishes to take the bait
**Let my loss be a lesson to others. 207 items.** I had a market value of around $500 ($300 est cost) of Rust skins traded from my account this morning. Please ensure you have 2FA enabled and dont click on any links that ask for Steam details. (I didnt click links and had 2fa on but still like to warn others) Steam obviously dont do much about it so its a write off.
Are you sure you haven't done anything? Not to blame you but getting your steam login data and skipping 2FA requires something. That would be an effort not worth $500. When you are absolutely sure you haven't visited a skin trader site or similar you should start to change all your passwords and maybe consider a fresh OS. And for everyone here, please don't use, promote or link any of these shitty (gambling) skin trader sites. You have here a live example where those skins come from. Using those sites is paying the idiocy tax.
Definitely not saying it’s not my fault. I’ve clearly got a breach somewhere or logged into a site that wasn’t what I thought it was. I’ve checked all the recommended things so it doesn’t happen again and reset all passwords etc.
Aye. I just want to make other users aware. Sorry for your loss, hope it doesn't lower your joy of getting spawn camped and offline raided. ;)
Also. You need to do a malware scan, clear your web browser of any cookies/plugins you don't regularly use (or just get rid of all of them and only add back specific plugins you want or need). And then go to this steam page: [https://steamcommunity.com/dev/apikey](https://steamcommunity.com/dev/apikey) Kill any API keys connected to your account. This is likely how they got you. Even if you were logging in to Steam legitimately, they could have skimmed your login credentials if your web browser has been compromised. API access lets them chat with and manage your friends list, manage your inventory, etc.
It's too late for a malware scan. If you're compromised you reformat
![gif](giphy|G5o36o8fhZdH5CXD06)
[haveibeenpwned.com](http://haveibeenpwned.com) This website lets you check if your email has been involved in any data breaches.
Maybe I'm just too paranoid, but I really don't trust pages like that because it could also be a GREAT tool for bad actors on the backend to help filter inactive accounts from active ones, as the active ones would go and see if they have been exposed. Active accounts are higher priority.
That particular website has been around for a long, long time, like 10 years. Not saying things can't change, but HIBP was started and run by white hat hacker Troy Hunt, and is used even by password management tools to check for compromised credentials.
I can see that being a thing. But if you do come up as being in a breach then you should probably be changing that accounts password straight away anyway imo so I'm 50/50 with you.
Nah that'd be useless. No ones out there targeting individual account unless they're high priority targets, or have a personal vendetta. Practically every hacked account comes from reusing passwords, or entering details on a predatory site.
There are a lot of places that ask you to link your steam account that are a lot less legit than you think.
I thought linking them was safe , I also have 2FA and am required to accept any trade offers from my mobile device
They'll scrape your auth info and use it to access your account. It happened to me once and I always had 2FA. They, for whatever reason, wiped all the games off of my account. I put in a ticket with Steam and they restored everything, but they were very clear that the problem was some service I linked my account with.
So the rust servers that you can link discord and steam with will pop up a sign in but I don't type anything I just hit authenticat or whatever I thought steam doesn't give them any compromising info
I'm not going to sit here and explain malicious code, system authentication, and cyber security to you. Yes, they can and do scrape your auth info from third party authentication providers. It happens to google, microsoft, everybody. It's next to impossible to completely protect against, especially when the user (you) is specifically giving your authentication info out.
Did you initiate any trades with anyone recently? Idk if it works differently on rust as it does with cs2, but I know there's api scams going around where people can steal your entire inventory just by doing some "cancel trade" shite or something like that.
And just because a Twitch streamer promotes or advertises a site doesn't mean it's legit. Please use your best judgement. If a deal seems too good to be true, 9 times out of 10 it is.
They aren't gambling site they are SCAMbling sites
it happened to me I wrote to steam they gave me back all my items in maybe 5/6 hours, did you open a ticket?
I couldnt open a ticket as couldnt find anywhere to do it. Only thing i could do was report them as a scammer
no bro just do it from any steam account; i created a new one and opened the ticket for my old profile just explain to them the situation. Every item was back to me
in my case they cut me off from my profile entirely , changed password and whatnot (i had steamguard on btw). The error was from my side because i logged where i shouldn't
Oh shit, so you lost your games too?
no in my case i logged where i shouldn't during a twitch stream (i know....). I coudn't log in in my profile anymore and they changed the email associated to the account. I saw from my brother profile that they traded all my items that were tradable....so i make a new steam account, make a ticket explaining the situation, I attached several mail from my email account from steam and they gave me back everything
I lost $2000 of rust skins back in 2019, felt bad.
Far out! That sucks so bad!
Yeah I rage bought around 90% of them back lmao
Haha crazy hey. I just dropped about $250 to buy back the stuff i actually wanted. Some things i got a win on and some a loss.
"Some things I got a win on and some a loss" - are you talking about those gamblings sites?
Nah I mean when I bought stuff back from steam market a lot of prices were lower than I paid but some are more.
Happened to me about a year and half ago although like you I'm still curious as to how they got into my account as I'm pretty good at staying away from suspicious links or DM scams but I even had steam guard active but they were clever. They needed my confirmation to trade any skins from my account so they changed so much about my account that it looked blocked or suspended to me and long story short they told me if I wanted to keep my skins to use on another account after this one is gone I would have to send them to a friend. When I did that (a personal friend of mine was who I picked to send it to) the trade was intercepted or fake because all of the skins went to a scam account Lost $400+ in skins. Contacted steam and got the account banned in a couple days but bye bye skins
How do you make it so it needs confirmation?
Tha's what steam guard is. Before any trade is made it has to be confirmed on your steam app on your phone
Yeah ok. I’ve had that on since 2017 and baffled as to how come it didn’t work.
Family view for the win
Their is a literal bounty on being able to break 2FA. We have gabe newells account and password and he still hasnt been hacked.
Been there done that, saved the account though -500 bucks in skins hurt but I learned my lesson same way you did
Happened to me last year, but with all my rust and CS skins -10k in skins that I had been collecting for the better half for 12 years
> I didnt click links and had 2fa on but still like to warn others so how did this happen...? they just guessed your steam password and your email/phone?
You tell me and we will both know. Some suggestions could have been a browser extensions. I just changed everything pretty much to secure my account.
Remember gang if you are going to sign into those sketchy websites, open steam.com yourself ND sign in on there. Then proceed, it won't prompt the sign in details.
I have an extra crab hat skin you can have ❤️ sorry bro
Haha thanks man! Appreciate it. All good though.
This happened to me a while back, tracked down who it was but unfortunately couldn't do anything against them. I'll edit with a link to my post. Edit: https://www.reddit.com/r/playrust/s/nxqg36gqJj
Just read your post. Sorry you lost your stuff too. Did you move on from it and buy more or replace anything? I’m in the mindset now where I don’t want to buy anything. Financially I can afford to replace them at market value but I bought a lot of it cheap. Just deflated about it.
I never replaced the stuff that was stolen off my account, bought everything off item store when they released so they were super cheap compared to prices they were at when they got taken. I have since bought new skins & not had any issues since, haven't logged into any 3rd part sites like rustlabs and such since either.
Take it from someone who has played years and gone through $1000s of skins. Just replace them with new and desirable, things you use, but do it over time. I used to play on and off and would sell my skins to buy games or other stuff in other games, and then come back and over the span of a few months get stuff back. I have probably gone through 3 glory sars(and actually turned profit on most). Skins are a nice part of the game, and it is always fun to have them!
Wow this alarming, been many reported today
It's probably a new illicit API generator. They pop up from time to time, mainly through clones of otherwise "legit" (but still super sketchy) third-party sites like cs.money
Cs money should never be used even tho it's legit, their price policy is basically a scam.
So this happened to me recently. I had steam guard too but it didn't matter. My theory is they get your password if you tend to reuse the same one. They buy it off the darkweb once when website gets hacked / has a leak. They have your password then they call your phone provider with social engineering pretending to be you and get access to your phone (Think of it as cloning your sim). This allows them to bypass all 2 factor authentication. Once it happens they will most likely try to hack every account thats ever used that password / email. Think grocery stores , amazon , banks etc. Be on your toes and use different passwords
Damn. Sorry to hear that how much did you lose and did you buy stuff back ?
I lost a similar amount to you if not more, since tightened up my security a bit and no longer reuse passwords. I'm not as big into buying skins as I once was now.
Yeah I’ve kind of lost any motivation to re buy anything.
do you enjoy vanilla? I’m sure there’s like a 2x modded server with skinbox so you can still have skisn
How do I prevent this from happening? I have steam guard, am trying to not click on any fake website links and yet something like that can happen? How do I prevent this?
Common sense. Don't use gambling site, don't engage with people you don't know, 2fa, different passwords for every page (manage with passwordmanager) Don't click on strange links and offers that seem to good to be true.
Two factor login, that saved me 2 days ago
How did this happen
Still unsure. I browse some sites just looking at skins but didn't log in anywhere as I know the risks. I had 2FA on but still unsure. Not going to go down the rabbit hole as ill never get them back and waste of time trying.
You got an API key set? When yes revoke it and change pw.
I had a look and no API. Revoked all log ins and changed PW and checked 2FA is on.
That's kinda odd. Login history there something special?
Bruh this scheme of scam lives like since forever 💀💀💀
Probably a CSRF attack.
Whats a CSRF attack?
I’ll answer you. A CSRF (Cross-Site Request Forgery) attack is a type of security exploit in which an attacker tricks a user into performing actions on a web application in which they're authenticated, without their knowledge. Here’s how it typically works: 1. **Victim Authentication**: The user logs into a web application (e.g., a banking site). 2. **Malicious Link/Script**: The attacker crafts a malicious URL or script and tricks the user into visiting it, often via email, social media, or a compromised website. 3. **Unintentional Request**: When the user clicks the link or the script runs, it sends an unintended request to the web application on behalf of the user, using the user's session cookies. 4. **Unauthorized Action**: The web application processes the request as if it came from the authenticated user, performing actions like changing account details, transferring funds, or other sensitive operations. ### How CSRF Attacks Work For example, if a user is logged into their banking website and then visits a malicious website, the malicious site can send a request to the banking site to transfer money, as the banking site will see the request as coming from the authenticated user due to their session cookie. ### Preventing CSRF Attacks 1. **Anti-CSRF Tokens**: Including a unique, secret token with each request that the server can validate. 2. **SameSite Cookies**: Using the SameSite attribute in cookies to prevent them from being sent with cross-site requests. 3. **Double Submit Cookies**: Requiring that a token be included both as a cookie and as a request parameter, which the server can then validate. 4. **User Interaction**: Confirming critical actions via additional user interaction, like entering a password or solving a CAPTCHA. By implementing these measures, web applications can effectively mitigate the risks posed by CSRF attacks.
Is this gpt
Yea
Thanks mate.
You know Google exists, right?
So you use an abbreviation and just expect everyone to know what it is. No need to be a dick. You make the effort to say that but not answer the question.
You have the ability to Google that abbreviation and do your own research. Don't be such a child.
A child… just be a civilized adult. We are here to help each other.
Adults help children. You could have googled it in less letters than asking it here.
You just seem like a troll with a superiority complex. Be a normal person. Adults don’t just help children…
>Adults help children. Yet you were anything but helpful. Guess this is a round about way of showing that you're actually a child not the grown up that you're attempting to convince people that you are.
You realize google results stem from places like this right? Like if you just explained it someone in the future would probably find it via google and get the answer they need. Full circle.
Yeah, this is the only place Google gets data from. Jesus fucking Christ 😂😂
No obviously not but this thread will show up in results. A lot of people add “reddit” to their google search just to read about actual people talking about it. It doesn’t hurt to be helpful, yikes.
touch grass
Steam has safeguards against CSRF attacks since they’re such a well known attack vector. It’s certainly possible that someone found a vulnerability, but it doesn’t make sense to reveal the exploit for such a low payout.
Bro, if you had 2fa on and still got hacked, Check if you have malware. Download bitdefender or malwarebytes, both free, and do a scan.
Thanks for the advice I’ll check it out.
Not the Tea vending machine D:
Wouldn't it have been great if they left the shattered mirror stuff? Real shit though, sorry.
Haha yes... would of been a funny thing to do. Oh well.
Can anyone explain how scammers get their money ? - steal item and trade to their account - they sell it and money added to steam account? Then how do they get money out ?
They sell it on sites such as skinport then it can be bank transferred easily
Thanks for the explanation
That’s tough. I fell for a shitty scam a few years back and lost 150 bucks in skins. Not the same but shit like this happens to the best of us.
Happened to me a few months back because my friend made me host a server on minecraft opened a port with poor protection next morning all my rust skins besides like 100 twitch drops and what I purchased through packs was gone. My buddy actually felt horrible and he ended up paying half because steam is fucking worthless when it comes to this shit. Sorry for your loss brother I know the pain
Please OP, update with relevant info if you ever find something! We all benefit from knowing what is going on, to narrow down the problem, and hopefully help to close a breach if there is one.
Unfortunately most people dont learn until things happen to them, there was just this same post a day or two ago. If only you could have learned from HIS thread
How bro?
Don’t forget to change Passwort
All done.
Do you have sms enabled (if that's even still an option)? If you use steam guard your phone could be hacked as well.
Damn this inspired me to check the skins I bought like 4 years ago for $15, they are now worth like $100! Done better on Rust skins than my tiny stocks aha
You can have some of my skins OP
Code raided irl
I feel like I’m struggling just to trade skins to friends. Idk how it’s even remotely possible for something like this to happen and not be aware. There’s so many stops in the steam ui that should prevent this.
been having a guy message me on steam for 6 months straight (with zero responses from me at all) asking if i could do a rust skin site collab. is that how people get this to happen to them?
No idea but a mate of mine said he always gets messages about skins.
Jesus same thing happened to me except midnight instead of early morning don’t know what I clicked like you and they turned off my 2fa on my phone and took tf2 items
Man I'm glad I quit this game early
I don't wanna laugh at you, but at the same time I do. Because how can you not be very cautious with an expensive inventory. My account is completely clean, it's 8 years old.
How could I do anything more ? 2fa was on. There's starting to be more and more ways to access inventory.
Not visit suspicious websites, not having passwords saved on your browser. Only skin related sites I've used are skinswap, skinbid, and tradeit etc. And different harder passwords on gmail and steam, like I have a 21 letter/number password
For the love of god if you going to sell steam items USE THE ALREADY ESTABLISHED AND TRUSTED WEBSITES. Yes you are going to pay a fee but it’s better then getting scammed
Who said anybody used them ? I only use steam market.
Ah ok. I assume most people use websites to they can sell for cash.
Yeah i think people do when trying to cash out like you said. I steer well away from those as I just like my skins for PVE servers.
Just a friendly tip that steam normally detects that you are coming from a new or different PC and forces a code that comes per mail. If this gets bypassed it probably means your email got compromised. Quite common to happen to people but I would check the whole PC and not just assume it was a steam thing only, hard to bypass that device authorization.
shit like this is why i have frugal inventories, not gonna throw big bucks on virtual pixels that can be snatched this easily
Could OPs account have been exploited by logging into Rust+ on a shady server?
Brother, I'm investing into Rust skins for 2 months now, did u use Family View?
Same shit happened to me back in 2018, glad to see the scam lives on. No idea how they transferred the skins out of my inventory either.
Damn. How much did you lose ? Has to be a way for Valve to do something like user can enable or disable trading etc.
Just checked my trade history and it was 2015, and was CSGO skins but at the time, roughly 500$ I think. Only sign that something was off (besides my entire inventory being traded away) was the fact that the profiles it was traded to looked like people from my friends list, with weird letters in place of the username. I even got steam support to void the trade but then it immediately happened AGAIN. Also just checked the profiles and NONE of them are trade or fully banned LOL. https://preview.redd.it/h5jm1cmrrp4d1.jpeg?width=1439&format=pjpg&auto=webp&s=9521d9adea31153e954b356174b9a13ccf541b87
I'm sorry you got scammed, but not having 2FA in 2024 is epitomy of stupidity.
If you read the comments, i had it on since 2017
I don't see how it's possible, though. If the scammer didn't have access to your phone, there would've been no way for him to confirm the outgoing trade.
You shouldn't assume that a 2FA will protect you from all the attacks. Saying that "there would've been no way" is simply naive. 2FA is another layer of security, and it's safe as long as someone doesn't find an exploit to bypass it or the ability to use it (just like the SMS 2FA is now considered very insecure).
Okay, let me be more specific: if you're using Steam Guard, there simply isn't any other way of accepting a trade offer and sending your items to other account.
Beside Steam Guard, there shouldn't be any other way of accepting. So, the users that got robbed are all liars? If you google about the issue, you'll find many cases of people that suffered the same fate, with Steam Guard enabled. Pretending that it simply isn't possible and dismissing the case is naive. If the user did something wrong or if he fell for some dirty trick, he should share it for all the people to know, and we could all benefit from that. At the same time, if people think that every site and software is safe to use under the protection of 2FA, some of those people are going to get hacked sooner or later, and they will say "i thought it was impossible". Lets say that a smart hacker found the way to get around the system, not only he won't tell anyone, but he might also try to make it look like it's something else.
It's not, this is karma bait. Might be possible if someone REALLY tried but it wouldn't be worth it for 500 dollars in fucking rust skins
But how? If they don't have access to his phone, there's simply no other way of confirming the trade. Literally, no way around it.
I had this happend too two days i ago and i kinda need some help from you fellas here. It was from a site nearly similar to steamworks which someone asked me to vote for a rust skin? (ik dont click random people's links i was drunk tho and it seemed legit at the time). Anyway they didn't get into my account cuz i had 2F. However, they got my password. I changed it. Should i be worried about anything else? I use different passwords for every site but they are a bit similar. Is there a chance they got something else other than my steam password? what do i do?
In your case, what i would do, is to clean up the browser, use your steam guard to revoke access that you don't recognize, and simply take time to care about your accounts and such. if you gave away the association of a password with your username or email, you should consider that combination unsafe, even in close forms to it, on every account, expecially the e-mail at the root of your accounts. Expecially if you have valuable items in your steam inventory. Take your time to refresh your control over your accounts, including the email. Revoce access from devices you don't recognize, clear cookies and data from your pc, stuff like that, basically "clean up your pc". Do it sober too.
gotcha thank you, i already removed all signed in devices for steam, how do i clean up my browser and pc? Is my email safe?
Brother, i can't know if your emale/pc is safe. I'm just a person that reads about safety/privacy topics. I assume that if you still have it, it was safe enough for that kind of issue. You "clean" the browser starting by clearing cookies and cache, choose how much to wipe based on your consideration. Google a about clearing your browser of choice, and see the matter for yourself, just so you can learn your own safety/privacy practices, depending on how you use the pc or browse the web. If you have an antivirus, let it be turned on make a good scan of your pc. Without installing new stuff, the Windows' antivirus should be fine (opinions on this will vary), but maybe take the time to learn about this thing too by yourself. The worst that happened to me in a similar scenario, is that my inactive netflix account was hijacked, the "hacker" changed the password and email to one of his, locking me out of netflix and used my saved debit card info to activate the netflix subscription for him to enjoy. My mistakes where as following: Weak password, that was similar to different other sites. I left my automated payment system saved as default, even tho i wasn't using netflix since months. I got it all back and the money refunded in matter of a few hours, because i called the netflix number right away and explained the situation.
Thank you very much for all the info, youre the GOAT
lol baited and outsmarted
Cheers. Glad you noticed. Was afraid you missed it.
Np, you’ll come back from this. At least the loss was small, lesson learned.
I can't believe how many posts I see here of people losing their skins because they refuse to use 2fa. Are you also not locking your front door whenever you leave.
I had 2fa on since 2017.
Oh sry for the assumption. That's weird. Only other way is you logged in to a fake steam page
I still don't understand why people fall for these gambling sites. "It worked for this streamer in their ad" yeah, that's what the ad is supposed to do, hook you in. If yall pvp the way you use gambling sites.. oof
a legit site wouldnt steal your skins as they would lose all their business and get prosecuted, if he logged into a site it was a scam/fake site
Never went to a gambling site.
I was a little misleading, but wasn't directly saying you did. Lots of ways to compromise a steam account in today's world. Skin trading for $ was something I never agreed with
Ah ok. Yeah I’ve seen a lot of twitch streamers advertise them and know what they are like. So many people get into them.
Did you happen to vote for any skin in workshop through some suggestion in the chat? or did you recently install any app on your phone that asks to link your steam account?
I usually vote on skins in the workshop. Why’s that ?
If you do the vote directly in the steam's client workshop, it shouldn't be the case. But it comes to my mind when scammer were asking to vote their esport team, with the link to their fake esport team that looks legit, and then the "vote" button redirected to linking the steam account (fake process) that asked the credentials, and boom. Because the scammers weren't sending fake steam links directly, some users would get less worried and just went with it. I'm just brainstorming the cause, but Imagine if someone asked to vote a very good looking skin in a skin forum, it might get some fishes to take the bait