Scam: stolen Steam API Key

[D.Alex]

Please get familiar with this relatively new and sophisticated scam: Opskins: Steam API Key Scam

Update: MP now has a very good article as well.

Update Jan 2019: SteamRep "Account Hijacking" guide;  more info on Fake Login.

 

In short:

1) you fall for fake Steam Login website, attacker gets partial access to your account

2a) later you trade your item to Opskins.com/Marketplace.tf bot

2b) attacker cancels your trade and initiates a new trade to a fake bot

2c) you confirm this 2nd trade and lose your item

 

I would like to emphasize that the scam consists of two seemingly unrelated parts.

Once you did step 1 (fake login) you're very vulnerable to either step 2 or some other attack.

 

Avoiding #1: do NOT enter your Steam credentials on other websites, this could be fake login.

"Signing in through steam" is safe by itself and only requires you to press green "Sign In" button on Steam website.

If you're ever asked for credentials, manually open steamcommunity.com in another window and log into Steam there.

 

Avoiding #2: before confirming any high value trade on your phone, visit /my/tradeoffers/sent/ 

where your trade is waiting in "Awaiting Mobile Confirmation" state.

Check all the items and click on your partner avatar to visit his Steam Profile.

For example, MP bots should have lots of friends (with Geel usually on top) and lots of TF2 Inventory items.

 

[TF2Scourge]

Almost fell for this. 

Be aware that they are offering you money through trusted sources.

[Diamond jozu]

This is rather common in csgo.this was onr of the main reasons why csgo received the ban.now scammers are gonna do to tf2 now.ffs.

[SmokE]

its part of phishing link scam.Just dont click on any links from steam chat window.