How to Protect Your Steam Account From Hackers: Cyber Experts Warn of 'Free Game' Account Hijacks

User accounts on the video game distribution platform Steam are being targeted by hackers as part of a long-running phishing scheme, cybersecurity experts warn.

The campaign, which is designed to hijack account login details, is currently being circulated to Steam inboxes by compromised accounts belonging to users who have been duped by the scam. Spam links—sent to friends' lists—are claiming to offer a free game to new users.

In reality, the process will often end with the victim's username and password being sent into the hands of cybercriminals, according to Jovi Umawing of U.S. anti-virus firm Malwarebytes. A blog post detailing the covert phishing campaign suggested that it has been ongoing since March this year. "Yes, there are still Steam users falling for old tricks," Umawing wrote.

The researcher said she was recently warned about potentially hacked accounts by other users, and received one in her own Steam account inbox from a friend last weekend. Alongside a shortened URL, a message read: "1 free game for new users! Take the game you want."

Clicking through, users are redirected to a phishing website which claims to offer free games. In the middle is a button reading "try your luck." Following the link, Umawing was presented with a page saying she had 30 minutes to complete the transaction by logging into the Steam account via the website. It claimed she won a copy of PlayerUnknown's Battlegrounds.

"The page shows that the user would need to wait for 24 hours before they can roll the roulette again and get another free game," she wrote. "Supplying credentials to this phish page, as we know, will result in accounts getting hijacked to further proliferate the phishing links."

Steam - PC Gaming
Gamers compete in PC gaming at the 'Nvidia' booth during the Electronic Entertainment Expo E3 at the Los Angeles Convention Center on June 13, 2017 in Los Angeles, California.Steam is a video game distribution platform for PC titles. Christian Petersen/Getty

There are several key signs that the website offering the free game is not legitimate—including some buttons that don't work and text in a menu that appears to be in Russian. It is not known who is behind the scheme—but some phishing websites still remain active, Umawing said.

How to protect your Steam account

Steam, which boasts 90 million active users as of January, offers its users a variety of methods to help report scammers, highlight phishing attempts and recover hijacked or locked accounts. It advises members to use its two-factor authentication and verify their email addresses.

The website warns: "Often times sites pretending to be an official Steam site will ask for login information typically offering free keys [or] deals on games.

"Beware of phony sites, and make sure you are visiting an official, secure Steam site. Official Steam logins are directed to the or domains."

It adds: "If you suspect a site asking for your login information is not an official Steam site, do not enter any information on the site and disregard it." Steam says it never contacts users via inboxes and urges anyone who receives a link to use "extreme caution."

"Steam has always been the platform of choice of fraudsters for a long time because of its millions of active users," Umawing wrote. "Yet it's also good to see Steam users realizing the danger early on... giving their friends a heads-up about it [and] trying to contain their zombified accounts. So be calm, keep on the lookout, stay informed, and continue to look after each other," she added.

Malwarebytes - Steam phishing
The campaign, which is designed to hijack account login details, is currently being circulated to Steam inboxes by compromised accounts, Malwarebytes said. Malwarebytes