Fake Steam skin giveaway site tricks users into sharing their login credentials

• The scam is promoted through comments made to Steam profiles.
• To make it look legitimate, the phishing site contains a fake chat screen running on the left-hand side of the page.

A new scam that involves the use of a fake Steam skin giveaway site has been found tricking users. The purpose of the scam is to steal their login credentials.

How does it work?

• Discovered first by a researcher who goes by the online name of ‘nullcookies’, the scam is promoted through comments made on Steam profiles.
• The comments state, "Dear winner! Your SteamID is selected as a winner of Weekly giveaway. Get your Karambit | Doppler on giveavvay.com."
• Once a user clicks on the URL provided in the comment, they will be shown a new page that pretends to be a $30,000 giveaway promotion that contains 26 days of free skin for Counter-Strike: Global Offensive (CSGO).
• In order to get a free skin, the victim is prompted to log in to the site using their Steam credentials and later wait for the words ‘SKIN RAIN’ to appear in the chat.
• Once the words appear, the site asks the victim to click on them to get one of the free skins being offered that day.

To make it look legitimate, it also contains a fake chat screen running on the left-hand side of the page, Bleeping Computer reported.

Once the scammers gain access to the victim’s login credentials, they can hijack their Steam account, trade away their items, and perform other malicious activities such as further promoting their scam.

Red flags

In order to make the phishing page look less suspicious, the scammers claim that these skins are allegedly being sponsored by G2A, Handouts, opencases.cheap, GamDom, Kinguin, and FaceIt. Hence, users should not believe what is said on the site.

The chat messages appearing on the site are fake and do not belong to any actual visitors.

The bottom line

To avoid falling victim to such scammed sites, all Steam users should only log in to Steam directly from the steampowered.com domain. Be sure to do a thorough research of the site that wants you to log in through Steam.