Scammers Using Fake Steam Sites to Hijack Accounts

Attackers launched a phishing campaign targeting Russian gamers through at least 20 fake sites promising Steam gift cards worth $5 to $50 and free game skins. F6 analysts discovered the sites impersonating Steam and Twitch to steal login credentials.

Scammers distribute phishing links through YouTube, TikTok, and other video platforms. Short videos showcase fake Steam gift card giveaways, with phishing URLs in channel descriptions. Some YouTube videos direct users to Telegram channels that distribute fraudulent links.

The phishing pages use a single template but vary the bait: "winter gift marathons," Steam anniversary promotions, or New Year giveaways. Each page includes a fake steamcommunity.com address embedded in the layout, while the real domain appears only in the browser's address bar. Close inspection reveals two address bars—the browser's actual bar at the top, and a fake one embedded in the page. Users who enter Steam credentials send their login data directly to attackers.

One-Time Link Technique

The second attack method involves fake skin giveaways for CS2 and Rust, allegedly via Twitch. These schemes use one-time links that work only on the first click. Anyone trying to open the same link from another device sees an empty page.

Alexander Sapov, Senior Analyst at F6's Digital Risk Protection department, explained the technique's effectiveness:

"If a user attempts to open the page on another device or passes the link to someone else—for example, as evidence of phishing—access to the content will be denied. This allows scammers to extend the lifespan of their phishing resources, as regulators cannot open the final content and obtain grounds for blocking."

The phishing sites impersonate Twitch and prompt users to enter a promo code before logging in via Steam. Clicking the login button redirects to a fake Steam page. F6 suspects these links spread in CS2 and Rust stream chats, disguised as Twitch Drops—the platform's official viewing rewards. Twitch moderation removes such messages, but not immediately, giving scammers time to catch victims.

All phishing resources in the Twitch scenario target Russian users specifically. Site templates use English, but data entry forms appear in Russian.

Why Steam Accounts Matter

Steam accounts attract hackers because they contain purchased games, achievements, and inventories with in-game items. Attackers primarily target inventories, since virtual items sell on third-party platforms for real money.

Compromised accounts enable additional attacks. Hackers send phishing links to the victim's friends, exploiting the higher trust levels that come with messages from familiar contacts.

Several discovered phishing domains in the .RU zone have been blocked. Others operate in .PW, .CC, .COM, .PRO, and .WORLD zones, but F6 is working to have them taken down.