Gamers are facing a new, large‑scale Steam phishing campaign designed to steal accounts and drain valuable in‑game items. Analysts from cybersecurity company F6 report identifying at least 20 phishing sites that impersonate official Steam and Twitch pages, promising fake Steam gift cards and “free skins” for popular titles in exchange for account credentials.
Phishing sites mimicking Steam with fake gift cards and free skins
The attackers promote their fake resources aggressively through YouTube, TikTok and other video platforms. Short clips demonstrate, step by step, how to supposedly obtain Steam gift cards worth 5–50 USD or free cosmetic items. Links to the phishing sites are placed in video descriptions, channel profiles, on‑screen overlays and are additionally pushed via Telegram channels mentioned in the videos.
According to F6, most of the detected phishing sites for Steam follow the same technical template but use different marketing narratives: “winter gift marathon”, Steam anniversary events, New Year sales and other fictitious promotions. Visually, these pages closely reproduce the layout, typography and color scheme of the official Steam website, which creates a deceptive sense of legitimacy for users who do not carefully check the browser’s address bar.
“Double address bar” trick and visual domain spoofing
A key element of the scam is visual domain spoofing. The phishing pages embed a graphic banner showing “steamcommunity.com” that looks like a browser address bar. As a result, the user sees what appears to be a second address field: the real one at the very top of the browser, and a fake one inside the page layout. Inattentive visitors may focus on the counterfeit element and ignore the actual domain, which typically has random characters or unusual top‑level domains.
Once a victim enters their Steam login and password on such a page, the credentials are immediately sent to the attackers’ server. With this data, cybercriminals can rapidly perform an account takeover: change the password and recovery email, approve trades, and transfer expensive in‑game items to their own accounts or off‑platform marketplaces with minimal chance of timely recovery by the victim.
Fake Twitch Drops for CS2 and Rust using single‑use phishing links
The second major scheme uncovered by F6 abuses the popularity of Twitch Drops for games such as Counter‑Strike 2 (CS2) and Rust. Victims are offered “exclusive skins” allegedly obtainable by watching a stream or entering a promo code on a page styled as Twitch. After entering the promo code, users are asked to authorize via Steam, but the login button redirects not to Valve’s servers, but to another phishing login page.
This scenario stands out for its use of single‑use URLs. A link works only on the first visit from a specific device. Any subsequent attempt to reopen it, forward it to another user, or present it as evidence during an investigation results in a blank or harmless page. As noted by F6 experts, this tactic significantly complicates the work of regulators, CERT teams and automated monitoring systems because the malicious content is often no longer available at the time of inspection.
These links are distributed directly in Twitch chat during CS2 and Rust streams, disguised as legitimate Drops notifications or reward links. While Twitch moderation eventually removes such messages, there is typically a short delay, and this window is sufficient for a fraction of viewers to click through and surrender their credentials. All identified pages in this Twitch‑themed scenario are oriented toward Russian users: the base interface is in English, but the login forms, hints and error messages are fully translated and laid out in Russian, which increases trust and conversion among the local audience.
Why Steam accounts and skins are a prime target for cybercriminals
A modern Steam account often represents a substantial digital asset. In addition to a library of purchased games, it contains an inventory of tradable cosmetic items: weapon skins, cases, stickers and other virtual goods. In the secondary market for in‑game items, some skins can be worth hundreds or even thousands of dollars, making inventories far more attractive to criminals than the games themselves.
After compromising an account, attackers quickly move high‑value items to controlled accounts or sell them through third‑party marketplaces. Stolen profiles are then reused as a social engineering tool: messages with phishing links are sent to friends and teammates directly from the hijacked account, which dramatically increases the credibility of the lure. Industry reports such as the Verizon Data Breach Investigations Report consistently show that social engineering and phishing remain among the leading initial access vectors, and the gaming ecosystem is no exception.
Domain zones, takedowns and the limits of blocking
Some of the identified phishing domains registered in the .RU zone have already been blocked by Russian regulators. However, a significant portion of the infrastructure resides in other top‑level domains such as .PW, .CC, .COM, .PRO and .WORLD. Hosting in foreign or less regulated zones allows criminals to keep their infrastructure online longer and quickly rotate domains when individual addresses are added to blocklists.
According to F6, takedown efforts are ongoing, but the pace at which new phishing domains appear frequently outstrips the speed of response. In this context, user awareness and basic cyber hygiene become the decisive defense layer. Technical blocking can reduce exposure, but it cannot fully compensate for risky user behavior.
To avoid becoming a victim of such Steam phishing attacks, users should never enter their Steam password on a site opened from a link in a video description, stream chat or messenger. It is safer to open the official client or manually type “steamcommunity.com” in the browser, carefully checking the real domain rather than any “drawn” address bar elements on the page. Enabling two‑factor authentication via Steam Guard, using unique complex passwords for both email and Steam (preferably managed by a password manager), and promptly notifying friends and Steam Support about any suspicious activity or loss of access significantly reduces the risk of irreversible damage. As the overall level of cybersecurity awareness among gamers grows, it becomes harder for attackers to scale such campaigns and convert virtual items into real‑world profits.
