Steam and Mirrors: How Gamers Get Duped

Header

Author: Kaspersky Cybersecurity

June 4, 2021

Gut-wrenching stories of in-game cheating told by actual participants.

People learn more from their mistakes than from cautionary tales of scam and fraud, so, for today’s security postmortem, we collected edifying tales from real-life gamers. Here are four from victims and one from a perpetrator.

Gift fraud

Mikhail Mad_Bucket, 23, translator:

“About seven years ago, something pretty interesting happened to me on Steam — technically a scam, but not really. In Team Fortress 2, there were these weapons that counted kills, and I wanted to sell a dropped crossbow that had this gizmo. Then a stranger on Steam offered to trade it for the game Eets.

‘Wow, a game for a weapon!’ I thought. We exchanged, I installed Eets, and everything seemed OK. But then I went to this guy’s profile, and there in caps it said: ‘GUYS, FREE EETS FOR WHOEVER WANTS IT.’ It turned out that some site was handing out keys for the game just like that, as many copies as you liked.”

Moral: If you are offered a free or very cheap game, go to the developer’s or publisher’s official website and see if it mentions the promotion. If it does, buy or download the game there — no need to take unnecessary risks. Our hero was very lucky that, in exchange for the weapon, he got a real copy of the (free) game, and not an army of Trojans or a fake key.

If your goal is to avoid paying for computer games, check out our guide to no-risk free gaming.

Malicious apps and account hijacking

Anonymous, 17:

“I’ve had two run-ins with scammers. The first time, I found a program supposedly for boosting items in CS:GO, which imitated the Steam login screen. I was 10, I didn’t really know what I was doing. I entered my details, they leaked, my account was almost stolen.

Back then, accounts with items got hijacked really quickly. Then, in a different account, I started crafting stuff in CS:GO. I got an AWP Redline and a M4A4 Asiimov in about two hours, as I recall. Just 20 minutes later the account was stolen, and the items got gifted away. I don’t know how it happened — maybe they hijacked a database somewhere. Btw, tech support still hasn’t returned that account. To be honest, I remember those times with horror — login without 2FA and poor-to-average Steam support.”

Moral 1: It’s not safe to enter credentials in third-party services, especially if they promise mountains of gold or illegal benefits such as a rating boost — you risk having your account hijacked. Avoid installing dubious apps as well; what looks like cheats and bots may really be malware.

Better still, use a security solution that stops malicious apps in their tracks, blocks fake sites, and wards off other evils.

Moral 2: Creating a strong and unique password for each service you use is critical. Make each one strong, so it can’t be brute-forced, and make it unique so that in case of a leak, your other accounts won’t be lost. If coming up with and remembering key phrases is problematic for you, use a password manager to securely store your passwords and automatically enter them for account login as needed.

For more protection, enable two-factor authentication. That way, to log in to your account, you (or anyone else) will need not only the password, but also a one-time code, making it harder to hijack. See our posts on how to activate this and other security features in Steam, Origin, Battle.net and Twitch.

Social Engineering: A cybercriminal’s tale

Alexander, 28, SAP programmer:

“Back in the early days of Lineage II, some friends of a gullible classmate of mine decided to initiate him in the ways of this MMORPG. They created an account for him and poured in a lot of money (at least by high-school standards). They bought him D-grade gear [better than standard — ed. ] and secretly completed first class transfer quest. As a guy always looking to profit at someone else’s expense, I offered to help him with the second transfer.

He was clueless about the game but itching to get hooked. After class, I went to his house and, pretending to do a class transfer quest, killed a couple of skeletons and chatted with a guard. In an important-sounding voice, I told him that the job was done and asked for his ‘outdated gear’ as token payment. He happily handed it over. We bought him a wooden sword in return, and I left with a feeling of accomplishment.”

Moral: If someone offers to do something for you, make sure you fully understand what it is and whether you really need it. Find out the price right away — it may not be worth it. And never let gaming pros into your computer or account — even if they are “friends.” Although the narrator of this tale showed some restraint, you can’t count on a real scammer to spare victims.

Account hijacking with TeamViewer

Anonymous, 20, student:

“Back when I was a kid playing Counter-Strike: Source, I found this 35hp server where there was this dude in an Iron Man skin. His ragdoll made these cool metallic sounds upon dying. You could say I was impressed. I asked in the general chat how to get this type of skin, and the server admin said the model was only for admins, but just this once I could have it free.

He activated the skin for me on the server, and everything seemed fine, but then he wrote that the model had to be activated on Steam so it wouldn’t disappear. At his suggestion, I installed TeamViewer and gave him access to my computer. He connected, opened Notepad right on my desktop and wrote what to do there. To cut a short story even shorter: I gave him my account details, he logged in supposedly to activate the skin, and that’s how I lost my first Steam account.”

Moral: Installing third-party software, let alone handing over control of your computer to a stranger, is a big risk. As for giving out your account username and password, don’t do it, even if you’re promised a cool feature or a fix for a serious issue, as tech-support scammers do. If you need help from a tech-savvy friend, let them explain verbally how to solve the problem.

The world’s shortest tragedy

Hermit Purple, 18, professional commenter in VKontakte communities:

“I was playing Digger Online, logged in to the server. The admins said: item or ban. I bought them an item, but they banned me anyway.”

Moral: No moral here; we can only sympathize.

How to guard against gaming scams

Gamers who want to keep their money, gear, and accounts need to:

  • Protect game accounts with strong and unique passwords, and don’t forget to enable two-factor authentication. Here’s how to set up accounts in Steam, Origin, Battle.net and Twitch.
  • Double-check deals and offers, looking at seller (or buyer) profiles, reading reviews, and studying vendor websites. It’s better to lose half an hour than all your money.
  • Take your time entering account credentials. First, make sure you are using the official site or app. Type in the address manually if possible, and make sure there are no typos in the name of the site you are visiting. Don’t rely on familiar page layouts for quick visual confirmation; they are easily copied.
  • Reject additional programs. If a friend or acquaintance (or an online stranger!) asks you to install anything — especially a remote access tool such as TeamViewer — forget about it. If they’re helping you with a problem, have them explain the solution so you can do it for yourself.
  • Never disable your antivirus when playing. Many modern security solutions, such as Kaspersky Security Cloud, include a gaming mode that goes light on resources and does not interfere with game play.

Report a Scam!

Have you fallen for a hoax, bought a fake product? Report the site and warn others!

Help & Info

Popular Stories

As the influence of the internet rises, so does the prevalence of online scams. There are fraudsters making all kinds of claims to trap victims online - from fake investment opportunities to online stores - and the internet allows them to operate from any part of the world with anonymity. The ability to spot online scams is an important skill to have as the virtual world is increasingly becoming a part of every facet of our lives. The below tips will help you identify the signs which can indicate that a website could be a scam. Common Sense: Too Good To Be True When looking for goods online, a great deal can be very enticing. A Gucci bag or a new iPhone for half the price? Who wouldn’t want to grab such a deal? Scammers know this too and try to take advantage of the fact. If an online deal looks too good to be true, think twice and double-check things. The easiest way to do this is to simply check out the same product at competing websites (that you trust). If the difference in prices is huge, it might be better to double-check the rest of the website. Check Out the Social Media Links Social media is a core part of ecommerce businesses these days and consumers often expect online shops to have a social media presence. Scammers know this and often insert logos of social media sites on their websites. Scratching beneath the surface often reveals this fu

So the worst has come to pass - you realise you parted with your money too fast, and the site you used was a scam - what now? Well first of all, don’t despair!! If you think you have been scammed, the first port of call when having an issue is to simply ask for a refund. This is the first and easiest step to determine whether you are dealing with a genuine company or scammers. Sadly, getting your money back from a scammer is not as simple as just asking.  If you are indeed dealing with scammers, the procedure (and chance) of getting your money back varies depending on the payment method you used. PayPal Debit card/Credit card Bank transfer Wire transfer Google Pay Bitcoin PayPal If you used PayPal, you have a strong chance of getting your money back if you were scammed. On their website, you can file a dispute within 180 calendar days of your purchase. Conditions to file a dispute: The simplest situation is that you ordered from an online store and it has not arrived. In this case this is what PayPal states: "If your order never shows up and the seller can't provide proof of shipment or delivery, you'll get a full refund. It's that simple." The scammer has sent you a completely different item. For example, you ordered a PlayStation 4, but instead received only a Playstation controller.  The condition of the item was misrepresented on the product page. This could be the