Jump to content

New scamming method using email confirmations?


IndieMate

Recommended Posts

You say you tested this on other accounts and they can send/accept the trade offer from the email even if they are not logged into the account the email was sent to? 

If that's true I'm surprised It wouldn't require you to log in on the account it was meant for. 

Link to comment
Share on other sites

I can't say that I have, and you are legitly the first person to bring this up.

 

I would think that valve would make it so that onlythe person who receives the email and logged into said steam account could accept it, but if you tink about it makes sense. That's why when yourequest a password reset from a website they say to not forward it to any other person.

Link to comment
Share on other sites

You say you tested this on other accounts and they can send/accept the trade offer from the email even if they are not logged into the account the email was sent to? 

If that's true I'm surprised It wouldn't require you to log in on the account it was meant for. 

i'm going to test it right now between my two accounts .

 

edit: nevermind.  I forgot I just reinstalled windows, and I haven't got my new charger in the mail yet to get the text from Gmail for two step verifaction

Link to comment
Share on other sites

You say you tested this on other accounts and they can send/accept the trade offer from the email even if they are not logged into the account the email was sent to? 

If that's true I'm surprised It wouldn't require you to log in on the account it was meant for. 

I sent the email to my friend and when he pressed the send trade offer button the trade offer was sent.

Link to comment
Share on other sites

I would think that valve would make it so that onlythe person who receives the email and logged into said steam account could accept it, but if you tink about it makes sense. That's why when yourequest a password reset from a website they say to not forward it to any other person.

 

Thats not how any sort of confirmation email works.

 

Typically they send you a unique link/code which will expire in X amount of time which must be "activated", so anyone with the unique link/code can "activate it" it doesnt matter if you are the same person or not.

 

Fairly certain this is not a common scam at all since it takes way too much time and can exactly be coded to a bot however it is worth adding to the guide :)

 

@op is it possible for you to send me some screenies so i can get more details and add it to the existing guide? http://forums.backpack.tf/index.php?/topic/27624-guide-phishing-and-scamming-techniques/

Link to comment
Share on other sites

I sent the email to my friend and when he pressed the send trade offer button the trade offer was sent.

Yep, just tried the same when forwarding the email, this is indeed correct. Nice find i guess.

Link to comment
Share on other sites

Thats not how any sort of confirmation email works.

 

Typically they send you a unique link/code which will expire in X amount of time which must be "activated", so anyone with the unique link/code can "activate it" it doesnt matter if you are the same person or not.

 

Fairly certain this is not a common scam at all since it takes way too much time and can exactly be coded to a bot however it is worth adding to the guide :)

 

@op is it possible for you to send me some screenies so i can get more details and add it to the existing guide? http://forums.backpack.tf/index.php?/topic/27624-guide-phishing-and-scamming-techniques/

What type of screenshots do you need? I'd be glad to help.

Link to comment
Share on other sites

What type of screenshots do you need? I'd be glad to help.

Actually would it be okay for me to link your Video since it's pretty well documented already (Shall credit you ofc)

Link to comment
Share on other sites

Thats not how any sort of confirmation email works.

 

Typically they send you a unique link/code which will expire in X amount of time which must be "activated", so anyone with the unique link/code can "activate it" it doesnt matter if you are the same person or not.

 

Fairly certain this is not a common scam at all since it takes way too much time and can exactly be coded to a bot however it is worth adding to the guide :)

 

@op is it possible for you to send me some screenies so i can get more details and add it to the existing guide? http://forums.backpack.tf/index.php?/topic/27624-guide-phishing-and-scamming-techniques/

Don't you think it should be the link can only activated by the account of the trade owner though? For example only I should be able to view my hidden workshop items even if someone else does have the link.

I could even accept a trade offer when I wasn't logged into any account on steam browser. 

Link to comment
Share on other sites

Actually would it be okay for me to link your Video since it's pretty well documented already (Shall credit you ofc)

Sure thing. c:

Link to comment
Share on other sites

Actually would it be okay for me to link your Video since it's pretty well documented already (Shall credit you ofc)

It would be a good idea to put this on /r/steam, just bring some awareness and valve may see it.

Link to comment
Share on other sites

that lean into mic when you said bitch 10/10. I didn't think this could happen ever, wouldn't it just take you back to the email login page? 

Link to comment
Share on other sites

that lean into mic when you said bitch 10/10. I didn't think this could happen ever, wouldn't it just take you back to the email login page? 

 

When you forward the email confirmation, the person gets the exact same email confirmation, just in another email.

Link to comment
Share on other sites

Don't you think it should be the link can only activated by the account of the trade owner though? For example only I should be able to view my hidden workshop items even if someone else does have the link.

I could even accept a trade offer when I wasn't logged into any account on steam browser. 

 

Steam doesnt exactly have the best security, atm it's basically: Trade offer is sent. Trade will be fulfilled when confirmed. Confirmed is when the unique code emailed to your selected email is opened which is also the reason why you can trade on your mobile clicking the confirmation email there It never verifies since it's expected that the only person with access to that unique code is you.

 

Think most people knew about this just never thought it would actually be used to "scam" others though it is boarderline one of the most inefficient ways of scamming but since we still have users downloading programs for "free hats"...

 

Also steam probably wont care. This sort of "bypass" only effects the trading community which is a very small percentage of their user base not to mention it's very inefficient, steam's security is also in large useless since practically all things in place can be easily bypassed with any basic computer skills. Eg it takes like a few mins to bypass their "unable to trade for XXX amount of time" so in reality it only really punishes the "honest" users any sort of security measure which is stored locally is bad...

Link to comment
Share on other sites

hum i dont know about you guys.
I just feel the victime is dumb enought to send his confirmation email to a stranger, thats it.
The trade confirmation is a security link (randomly generated token) which is send to your email box only to prevent this thing of situation happens

Link to comment
Share on other sites

I lost my Tiger Tooth Factory New M9 Bayonet to this. Smart scam method, but I sent a screenshot of the confirmation to the guy. You should need to have been logged in the the email in my opinion to be able to accept these.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...