What are Steam API Scams and How to Avoid Them?

2023-08-11 - 5 min read

by Skinflow

What is an API Key?

How Scammers Operate:

How to Shield Yourself from API Scams:

What are Steam API Scams and How to Avoid Them?

Steam has created an amazing platform allowing gamers to trade their in-game items with friends or third party websites, giving life to a thriving community and market. But like any online community, it's also been a target for scammers. A growing concern for many is the infamous 'API scam.' In this article, we'll break down how these scams work and how you can protect yourself right now.

What is an API Key?

The Steam Web API is a tool primarily intended for website developers, allowing them to fetch data from user profiles, among other things. To use this tool, an API key is required, and this is where things get risky. Every Steam user can easily generate an API Key for their account which is a point of attack used by scammers.

How Scammers Operate:

Initial Access: The scam starts when an attacker tricks you into entering your Steam credentials into a fake authorization window, a perfect imitation of Steam's real login page.API Key Generation: Once they have your account details, they generate an API key for you. This allows them to manage all your trade offers.The Deceptive Trade: The scammer waits for a legitimate trade you initiate or gets you to interact with a familiar website. Upon detecting a trade, their bots instantly cancel the authentic trade offer and replace it with a fake one mimicking the real deal. If you're not vigilant, you'll end up confirming the fake trade on your mobile authenticator, causing the loss of skins.

How to Shield Yourself from API Scams:

Inspect the Authorization Window: Ensure the login URL is https://steamcommunity.com/; anything else is likely deceptive. If a login prompt appears despite you being logged in, this is another red flag.

Be Skeptical of Identical Trade Offers: If you spot two identical trade offers, with one being canceled, be cautious. It's likely a scam attempt. Skinflow will play an audio queue if we detect that our bot’s trade has been canceled to signal that someone might be controlling your trades. This warning should be taken seriously if you did not cancel our trade yourself.

Confirm Bot Details: Before approving any trade, compare the registration date of the trading bot displayed on Skinflow and your mobile authenticator. Check for Unauthorized API Keys: Regularly check if an unauthorized API key has been created for your account at https://steamcommunity.com/dev/apikey.

Most importantly: Never enter your Steam credentials on unfamiliar platforms. If you think you might have logged in into a phishing website, you can still save your CSGO skins. Follow these steps before attempting any Steam trades:

1. Revoke any API Key here: https://steamcommunity.com/dev/apikey

2. Update your trade URL here: http://steamcommunity.com/my/tradeoffers/privacy.

3. Change your Steam password. If you are using the same password on other websites, consider changing it on those other websites also as the scammers most likely have your Steam email/password combination. Remember, the strength of your online security is in your hands and to protect yourself never enter your Steam login information on any website directly. Always connect with Steam automatically without entering your credentials, the same way you would connect to any other website using the “Login with Google” or “Login with Facebook” options.

SKINFLW