What is API Scam
"API Scam" is a form of scam that can be met on the Steam platform.
It involves exploiting a vulnerability in Steam's security and users' unawareness in order to scam them out of items for a variety of games.
The Steam API key itself, which can be generated for any account on the Steam platform, allows the management of Steam exchange offers, but does not allow offers to be accepted by the Steam Guard Mobile Token, which is required to finalise the Steam exchange transaction.
A Steam user (e.g. enticed by an attractive, even impossible offer) decides to visit and use a site which pretends to offer a service or impersonates another site.
The user is redirected to a fake Steam login panel, where he provides his login details and an authorization code from the Steam Guard mobile app.
After providing sensitive data on the fake login page, the scammers get the opportunity to add an API key to the user's account and take it. The Steam API key can be accessed from this page once the user has logged into Steam.
Since the scammers have access to the user's API key, an automated script created by the scammers will ''listen'' to the user's incoming offers and when it encounters an opportunity, it will fetch information about the exchange offer the user has received.
After fetching the information on the exchange offer the user received, the script automatically changes the appearance on the linked Steam account so that it looks the same as the account the user was supposed to exchange with. The script automatically declines the real exchange offer the user received and then sends their exchange offer from the fake account.
When the user accepts the exchange offer using the Steam Guard Mobile Token, he does not see the difference in the offer which causes him to lose the items.
Important! In this case, you may notice two exchange offers in the "History of incoming offers" tab. The real offer will have the status "Exchange rejected (date and time)" and the fake offer will have the status "Exchange accepted (date and time)".
Before accepting an offer using the Steam Guard Mobile Token, you should:
Check the details of the profile from which the exchange offer was received (profile, avatar)
Verify the level of the Steam profile (the Steam account that belongs to the scammers may have a different level)
Review the name change history of the Steam profile (to do this, in the exchange offer you received, click on the avatar or name of the profile from which you received the exchange offer, then click the arrow next to its name to expand its nickname history)
Check the creation date of the Steam account from which you received the exchange offer (the creation date of the account, cannot be modified in any way)
Go to https://steamcommunity.com/dev/registerkey to delete the generated key. You can do this by clicking the "Revoke my Steam Web API key" button.
If the key is re-generated, make sure your browser or the device you are using is not infected with malware in any way.
Deauthorize all other devices logged in by going to https://store.steampowered.com/twofactor/manage
Verify that no other changes have been made to your account, such as your account email address
Change your Steam account password. (Especially do this on other sites if you have the same password on several sites).
Just to be sure, after doing the above points, check that your account does not have a re-generated Steam API key(point 1.). If you are using Steam inventory plugins, check that the API key is not generated by the plugins you are using.
Attention! Before each exchange, it is recommended to check that your account does not have a Steam Web API key created. By doing this you will increase the security of your exchanges!
It involves exploiting a vulnerability in Steam's security and users' unawareness in order to scam them out of items for a variety of games.
The Steam API key itself, which can be generated for any account on the Steam platform, allows the management of Steam exchange offers, but does not allow offers to be accepted by the Steam Guard Mobile Token, which is required to finalise the Steam exchange transaction.
How API Scam work
A Steam user (e.g. enticed by an attractive, even impossible offer) decides to visit and use a site which pretends to offer a service or impersonates another site.
The user is redirected to a fake Steam login panel, where he provides his login details and an authorization code from the Steam Guard mobile app.
After providing sensitive data on the fake login page, the scammers get the opportunity to add an API key to the user's account and take it. The Steam API key can be accessed from this page once the user has logged into Steam.
Since the scammers have access to the user's API key, an automated script created by the scammers will ''listen'' to the user's incoming offers and when it encounters an opportunity, it will fetch information about the exchange offer the user has received.
After fetching the information on the exchange offer the user received, the script automatically changes the appearance on the linked Steam account so that it looks the same as the account the user was supposed to exchange with. The script automatically declines the real exchange offer the user received and then sends their exchange offer from the fake account.
When the user accepts the exchange offer using the Steam Guard Mobile Token, he does not see the difference in the offer which causes him to lose the items.
Important! In this case, you may notice two exchange offers in the "History of incoming offers" tab. The real offer will have the status "Exchange rejected (date and time)" and the fake offer will have the status "Exchange accepted (date and time)".
How to recognise API Scam
Before accepting an offer using the Steam Guard Mobile Token, you should:
Check the details of the profile from which the exchange offer was received (profile, avatar)
Verify the level of the Steam profile (the Steam account that belongs to the scammers may have a different level)
Review the name change history of the Steam profile (to do this, in the exchange offer you received, click on the avatar or name of the profile from which you received the exchange offer, then click the arrow next to its name to expand its nickname history)
Check the creation date of the Steam account from which you received the exchange offer (the creation date of the account, cannot be modified in any way)
How to protect yourself against API Scam in the future
Go to https://steamcommunity.com/dev/registerkey to delete the generated key. You can do this by clicking the "Revoke my Steam Web API key" button.
If the key is re-generated, make sure your browser or the device you are using is not infected with malware in any way.
Deauthorize all other devices logged in by going to https://store.steampowered.com/twofactor/manage
Verify that no other changes have been made to your account, such as your account email address
Change your Steam account password. (Especially do this on other sites if you have the same password on several sites).
Just to be sure, after doing the above points, check that your account does not have a re-generated Steam API key(point 1.). If you are using Steam inventory plugins, check that the API key is not generated by the plugins you are using.
Attention! Before each exchange, it is recommended to check that your account does not have a Steam Web API key created. By doing this you will increase the security of your exchanges!
Updated on: 16/01/2024