Steam Inventory Helper May Be Compromised??

[AwesomeSause]

2 hours ago, Littlepudintater said:

so much text for so little information  this isn't a unique situation this has happened before. 

And this situation happens too, people unknowingly posting information about stuff that's already happened, can't change the world all for one person bro

[Littlepudintater]

NVM ITS REAL!!!! PEEP TJE BOTTOM OMG

[eeeeeeeeeeeeeeeeeee]

seems like a case of a lookalike being put up and people downloading it, be careful next time is all that can be said. always download stuff from dev's site if possible

[eeeeeeeeeeeeeeeeeee]

14 hours ago, Loaferman said:

Thoughts?

i was trying to hold back but i am afraid you are russellposting at this point pls no spam (sorry if rude)

[STEVE]

similar attack happened the next day on someone without SIH.
Looks like SIH is more than likely (in my opinion) unrelated.

 

These scm listing scams have been a thing for years

[Heidecker]

had me scared for a sec, thankfully it's 99.9% some other scam not addon related.

[3.50]

21 hours ago, Loaferman said:

Thoughts?

Just uninstall internet, never get scammed again

[Loaferman]

Shall I just delete my announcement posts I made and keep this up for context? I feel like that would be the best route. 

[Loaferman]

Also update on the guy who got scammed, after contacting customer support they were able to at least refund the money that the hacker tried to get by selling off his items on scm. Glad they did something so soon

[Dezma]

Greetings, victim here. Here's some evidence SIH is related to the issue. 

 

Two logins to my account from third party sites (SIH), one at 6:52AM, the morning before the attack.

The other is at 4:16PM, only a mere ~15 minutes before the attack took place.¹

 

There is only one more login from SIH, an earlier access, likely used to scout/plan the attack.

 

 

There is no further visible history of SIH accessing my account, ruling out the factor of this being standard occasional access grants. 

These are outstanding unwarranted accesses to my account, and now the proof is available to public eye.

 

Whether this is directly from the team at SIH or an attacker who has gained access to the organization's resources is still up for debate. However, I feel it proves SIH's involvement in some capacity. I've compiled a recap to centralize my reasoning for the accusation against SIH:

• SIH accessed my account right at the time of the attack.¹
• SIH was the only entity with access to my Steam API key area.
• SIH has the ability to make automatic transactions that BYPASS STEAM GUARD AUTHENTICATOR.
  • The items sold used this very method, as a script of some sort was used to instantly sell 1 key/item at a time at an extreme rate.
  • Each Item was sold under the 1$ mark to avoid being processed by Mobile Authenticator's Confirmations tab.

More findings will be posted as discovered, I am currently community banned as a safety measure initiated by my friends.*

I will try to remain available here on the forums to be able to discuss any findings with other trading community members looking to investigate and learn more. My priority is protecting as many fellow collectors/traders as possible. Every backpack we can protect together is another W secured.

 

                                                                                                                                                                                                           -Dez

 

 

*I requested multiple reports be made against my account to help lock my inventory up to make sure I can get this sorted out safely before I can move items again.

[FP jh34ghu43gu]

On 3/21/2024 at 12:14 AM, Dezma said:

-snip-

core.sih conveniently provides a security log if you wanted to check for a third party going through them to get into your account(*). https://core.sih.app/sessions

Note that going to core.steaminventoryhelper.com will redirect your login to the core.sih.app, I'm guessing that the extension creates 3rd party login logs using the longhand name because it shows up as sih in my 3rd party logs when I went through the website UI:

 

Did you go through your steam login history and see anything abnormal? I didn't ask on day one because there's a 24h delay but they should be showing up now: https://help.steampowered.com/en/accountdata/SteamLoginHistory

Because to me it feels like your account got hijacked and *the hijacker had SIH on their browser, maybe used it to help quicksell the keys.

[Under Cover]

Why is it still possible to instantly sell items for pennies without a confirmation. I know its for those selling cases by the backpack pages but why isnt it limited to just cases?

Even after tons of people losing up to hundreds of dollars in just half an hour why hasn't steam done something to prevent it. It's been going on for years.

Add that additional confirmation requirement to anything that isnt a crate or case and the whole scam falls apart. Yet it continues to happen

[bob_2_]

On 3/20/2024 at 11:14 PM, Dezma said:

However, I feel it proves SIH's involvement in some capacity.

Any news of this happening to anyone else? If this was an SIH attack, would they not do it to the thousands of other people who use SIH?

[Dezma]

3 hours ago, bob_2_ said:

Any news of this happening to anyone else? If this was an SIH attack, would they not do it to the thousands of other people who use SIH?

-According to a friend who found a multitude of negative reviews on SIH, there have been incidences of this happening before, as the reviewees describe similar incidences.

The validity of these reviews is obviously not quite something I can confirm, of course, but the claims are there, so it's certainly not 1 or 2 fellows pointing their fingers with baseless blame...

 

- There wouldn't be a reason for SIH to cleanout every user's backpack all at once, however, anyways.
I do not mean to speak down upon your claim, but wouldn't it be rather.. Brash and un-strategic to smoke a 200$ backpack on the spot? Imagine if they did that instantly with all of their users. It would be no secret case then, surely. Thats the point of why it is so suspicious. A handful of victims coming forth to blow the whistle on SIH, buried among a sea of safe and trusting standard users. There's only so many backpacks that are worth cleaning out, y'know?

 

At least, that's my reasoning..

[bob_2_]

1 hour ago, Dezma said:

There wouldn't be a reason for SIH to cleanout every user's backpack all at once, however, anyways.
I do not mean to speak down upon your claim, but wouldn't it be rather.. Brash and un-strategic to smoke a 200$ backpack on the spot? Imagine if they did that instantly with all of their users. It would be no secret case then, surely. Thats the point of why it is so suspicious. A handful of victims coming forth to blow the whistle on SIH, buried among a sea of safe and trusting standard users. There's only so many backpacks that are worth cleaning out, y'know?

If SIH is compromised and the owners are trying to make a quick buck, they know they will get caught eventually. They would be running an exit scam. Why would they waste their time on $200 backpacks or selling a few keys at a time? From the moment they start to do sketchy shit, they would be under suspicion and the clock is ticking and they are risking their real targets, the top #1000 inventories, on a few hundred dollars worth of stuff from random people. Anyone can tell that siphoning keys here and there is far less profitable than fast, large-scale hits and doing the former risks their ability to do the latter. If they can steal keys this way they can steal unusuals. What you describe here makes no sense for the team behind SIH to do, and even if someone compromised their code to the extent you describe such a small target makes little sense. Scammers go for the biggest targets first. 

 

TL:DR If they have the kind of access and intentions that you imply here there is literally no reason to go for portions of small backpacks like what happened to you. 

[Dezma]

On 3/26/2024 at 10:28 PM, bob_2_ said:

If SIH is compromised and the owners are trying to make a quick buck, they know they will get caught eventually. They would be running an exit scam. Why would they waste their time on $200 backpacks or selling a few keys at a time? From the moment they start to do sketchy shit, they would be under suspicion and the clock is ticking and they are risking their real targets, the top #1000 inventories, on a few hundred dollars worth of stuff from random people. Anyone can tell that siphoning keys here and there is far less profitable than fast, large-scale hits and doing the former risks their ability to do the latter. If they can steal keys this way they can steal unusuals. What you describe here makes no sense for the team behind SIH to do, and even if someone compromised their code to the extent you describe such a small target makes little sense. Scammers go for the biggest targets first. 

 

TL:DR If they have the kind of access and intentions that you imply here there is literally no reason to go for portions of small backpacks like what happened to you. 

It seems you didn't understand the point I was trying to make, as what you described is exactly what I mean. There is no reason to target small backpacks.

My backpack is not a small backpack. There is well over $5K USD in my backpack. That is why I believe I was targeted. 

 

I would like to raise awareness, to fellow top backpacks, to stop using SIH. That is the entire point of this. I want to help protect others from being attacked.

[FP jh34ghu43gu]

Any chance you could followup to my first reply @Dezma? If there isn't an unknown IP in their logs then that would prove your point that they were the attackers, and if there is an unknown IP then it'd be more likely someone managed to get into your account another way and was simply using SIH as a tool on their end to offload your keys quickly.

[Apo]

The big issue here is that Valve needs to change their policy on 2FA for the SCM. Allow users to require 2FA for all SCM listings and/or purchases, regardless of price. Maybe some people wouldn't like this, but it could be made optional by adding a waiting period to disable the feature.

 

On 3/21/2024 at 12:14 AM, Dezma said:

Whether this is directly from the team at SIH or an attacker who has gained access to the organization's resources is still up for debate.

Or it could be an attacker who has managed to gain access to your resources (your PC.) If someone had access to your PC, they could have utilized SIH to mass-sell your items. At the end of the day, SIH is a tool. And while that tool may be useful for users, it is also useful for those who wish to steal. Why write your own custom code from scratch to mass-sell user's items, when you could simply utilize SIH's functionality in a malicious way? This could also be done entirely in a background tab or process, so you wouldn't have noticed it while it was occurring.

 

1 hour ago, FP jh34ghu43gu said:

Any chance you could followup to my first reply @Dezma? If there isn't an unknown IP in their logs then that would prove your point that they were the attackers, and if there is an unknown IP then it'd be more likely someone managed to get into your account another way and was simply using SIH as a tool on their end to offload your keys quickly.

Sure, if it's coming from their own IP, it could be that SIH is compromised to some extent. However, even if there's no unknown IPs, that wouldn't prove that it is indeed SIH that is responsible for the attack. If their PC is infected with some sort of RAT, that would also explain the traffic coming from their own IP/machine.

If the attacker utilizes SIH in some capacity, that would also explain why it appears SIH is the culprit. Though, if there is a 3rd party who has access to their PC, that 3rd party is the culprit, and SIH is not compromised, it's working as designed. The only thing that's compromised is the user.

To put it in different terms, think of it as using a banking app on your phone. If you use a banking app on a compromised device, that wouldn't mean that your banking app is the attacker. The 3rd party who infected your device is the attacker, the Banking app is not compromised, it's working as designed. The only thing that's compromised is the user. (Note: by saying this, I'm not trying to say that SIH should be as trusted as the developers of Banking apps. I hope my point comes across well enough.)

This sort of thing happens on other games that allow trading items between users.