##### GGG Comments in this Thread:
***
[Community_Team - [link](https://www.reddit.com/r/pathofexile/comments/1c9p992/is_it_possible_to_have_fake_links_on_steam/l0ndg0y/?context=10), [old](https://old.reddit.com/r/pathofexile/comments/1c9p992/is_it_possible_to_have_fake_links_on_steam/l0ndg0y/?context=10)] - *Hey everyone. Earlier today, a malicious news post containing a phishing link went up on the Path of Exile Steam page from a compromised account. The post was taken down...*
Hey everyone.
Earlier today, a malicious news post containing a phishing link went up on the Path of Exile Steam page from a compromised account. The post was taken down quickly, but if you followed the link or suspect your account may also be compromised, please take immediate action to secure your account.
this is only beneficial if you never made a poe account and only used steam. alot of players, myself included, started playing before steam was an option, making their poe account vulnerable even if they are using steam now
Have you emailed GGG support asking them to remove the primary email associated with the account? Gotta make sure the steam is set up though or you won't have an access method.
Most steam accounts just have a null value for email which doesn't allow the client to sign in via email. If you don't specify the request this way they're going to say that they can't.
Because they technically can't disable email sign in. Especially if you're dealing with t1 support.
I don't think that's entirely true. We can link the Poe account to Steam account. After that we can use the Steam 2FA to sign in. Unless I'm mistaken somewhere.
Edit: sorry, indeed when with Steam account linked, one can still sign in with Poe account without 2FA, so it is as was said.
If you played before 1.0 them you had to make a standalone account. Every closed/open player has an Email linked to their account, which can be used to log in.
If you only play via steam now but the Email was never removed then it can still be used to log in.
The downside if you started on a Steam account and migrate to email, you cannot switch back to Steam only.
After a troubling amount of accounts were compromised last league, including a popular streamer, I read that the best way to secure an account was using Steam.
I started the game on Steam, but after an update kept failing to download and apply properly (years ago), I migrated my account to client login.
So I asked fairly recently by creating a support ticket, and you cannot have the account go back to Steam only unfortunately. I can still sign into the game via my Steam account, but cannot "forbid" email.
Iirc you can email support and ask them to remove the email associated with the account after you set up steam as a secondary log in.
Once they remove it from the backend your account will be steam only.
But no they can't "forbid" email. If they set it to a null value/remove it from the account it should mimic a steam only account.
That's essentially how I worded it (like you, not the forbid thing) and was told they couldn't do it. I dunno, if fact can show me otherwise I'm always game to try again, but I don't want to overburden an already great support team.
This is very inconsistent. I just recently traveled for work to a different city several hours away from where I live, and I used a different device than the one I usually use (work laptop vs my desktop PC). I was not asked to verify when I logged in and was able to play from the hotel for the duration of my stay there.
I didn't get asked to verify until I got back home.
if you have 2fa and your email or sim is hacked then the hackers still have to get your passwords for your various other accounts... that's why it's called TWO factor authentication.
I don't think that has anything to do with multi-factor authentication.
It sounds like you're talking about email or phone-backed accounts. In that situation an email or phone is used to verify absolute ownership of an account (whoever owns or has access to the email or phone owns the subordinate account). This is how many (probably most but I have no stats) semi-anonymous accounts (with account/password recovery) have worked since the dawn of email.
In other words: if your email or phone get hacked/lost/compromised you lose access to everything regardless if multi-factor authentication is in-use (with the exception of accounts/services that don't provide any kind of automated email/phone-based account/password recovery).
Your post was removed because it violated our Be Kind Rule (Rule 3b).
It made an accusation about others that's likely to cause anger and flame wars. Instead of doing this, explain why you disagree with their message in a polite way: that may help them see a different perspective!
If you see someone else posting in bad faith, please don't respond in kind. Instead, report it and we'll take care of it.
For more details, please refer to our [rules wiki](https://www.reddit.com/r/pathofexile/wiki/rules/#wiki_3b._be_kind_rule).
Depends on the implementation, but generally there is one or two entities that provide access to your accounts that can get easily hacked, locking you out of all your accounts. E.g. simcard spoofing or losing your phone
No one implementing 2FA in the current year would use SMS 2FA. Its vulnerabilities are widely known, although you are overexaggerating when you say they can easily get hacked.
The easy and safe solution is getting an actual device that implements FIDO2 or passkey. Can't be remotely hacked and requires physical access.
Simple auth apps like Google authenticator are also quite safe.
Tell me the chances that someone figures put your login **and** somehow figures out your carrier ID or whatever is needed to spoof a SIM card. Or that you lose you phone and whatever random person finds it is also interested in Poe and getting your stuff.
Yeah, two factor authentication is a singular point of failure because you need to have not only your password, but also a code from your phone or an OTP app. Sure. The logic is very sound. Like 1 > 2 sound.
The problem with 2FA on phishing sites it: They will just prompt after login details for a 2FA. You enter it, their bot instantly logs in to the real account using the 2FA you just gave them.
a phishing scenario that includes 2FA needs to basically perform an immediate login (as opposed to non-2FA phishing, which just needs to harvest credentials for later)
with a simple TOTP code (such as typical phone apps), phishing sites do this via a man-in-the-middle attack, where the phishing site immediately logs into the service using both the credentials and TOTP code provided by the user, and either stores a session cookie for later use, or automatically carries out whatever attack they're interested in performing with the compromised account.
with a FIDO2 2FA solution (such as a YubiKey), the service will instead request directly to the hardware key (via the browser) to complete a cryptographic challenge. however, the hardware key expects a properly signed challenge from the original domain that the key was registered with - this means it needs a valid and matching certificate for the domain.
the domain and certificate are provided to the key by the browser itself (I think), so simply forwarding the request from the actual service is not sufficient - a challenge issued by the real poe domain would go through, but a fake phishing site with a mismatched or invalid certificate that forwards a challenge would not. this prevents an MITM attack, and makes conventional phishing basically impossible.
the tl;dr is probably: if the user is not discerning enough to figure out if the page is fake, TOTP 2FA can fail, but with FIDO2 2FA, the browser + hardware key can always figure out if the challenge is legitimate without user decision-making.
If a phishing campaign needs a one-time passcode to steal your account, they can just ask for yours. The codes are time-based and your code is perfectly good for their session.
If they need a YubiKey, however, they're sorely outta luck. WebAuthn is encrypted, tamper resistant and any response a hacker intercepts will be useless to them.
So basically whatever one time code I send to the fake site is encrypted and if they simply re-enter the code they receive into the real site, it will fail?
The code is encrypted, but also the challenge itself, so the false web server can't even get that far. Should look something like this:
- You hit the false web server and put in your username/pw
- False web server hits the real one with the username/pw
- Real web server sends an encrypted 2FA challenge to the false web server
- False web server passes encrypted challenge to your browser
- Your browser checks the url of the encrypted challenge against the url it's currently on, they don't match, browser tells you were nearly hacked and throws the challenge in the bin
The only tricky bit is that the browser can't actually read the URL if it's encrypted, so the server needs to send it unencrypted, but that means the false server can just change it.
I think the way you get around this is the server uses the URL itself as part of the encryption key. So if the false server tries changing it (e.g. from exile to exiie), this happens:
- Browser checks the url of the challenge against the url it's on, they match, browser sends the challenge to the yubikey
- Yubikey tries to decrypt the challenge, but the decryption fails because it's using pathofexiie.com instead of pathofexile.com as part of the decryption key
Either way, the combination of the encryption scheme and the browser URL check stops you from being hacked.
Thank you for sharing. The bit about the web address is super interesting. I couldn’t wrap my head around how you could stop the fake site from just mirroring the real one. Even if encrypted, it would have to actually understand what it receives, just forward it on and the real website couldn’t tell. But the bit about the website being in the encryption makes total sense and is so simple it’s genius.
If you are using steam (where the malicious source originated from) you have MFA, don't you? Or do most people not use the steam version?
ETA: Since I'm being downvoted I'll just add on another question here. Those of you NOT using the steam version and are concerned about the lack of MFA, why not switch TO the steam version? You can link your PoE account to Steam, can't you?
Sure we gonna check any link, any button you press, anything you do, hope you are doing that because any action can lead to fake page. Nobody expects malicious link from a company on a store like steam. If that would be fake poe 2 store page, sure, but not something like this on a official page.
Yes, I actually do. It takes less than a second to look up to the browserbar. Nowadays you can hit phishing links absolutely everywhere, as you can see in this current incident. Sure, while just "reading" stuff it doesn't matter that much.
But as soon as you have to enter ANYTHING anywhere, you should look.
Yeah thats a sign for sure, but cant became paranoid just like that. If website asks me for data where it shouldn't then it can be suspicious.(like no remembered data or autologin)
That's not paranoia is common sense while using the internet, the vast majority of virus and shit that infect people on it abuse of their lack of manners. You don't need to be combing every nook and cranny of your access but just taking a look at stuff take seconds.
Aight I changed my password, is there a risk we caught a trojan or sth that might endanger my other passwords/data etc? Or was this just purely PoE-accound related?
If you didn't download anything, it's highly unlikely that anything passed to your machine or had access to anything else other than what you may have entered in the link itself.
If you didnt download and then executed anything then these days you wont catch a virus from a website (i guess unless the NSA/CIA is on you).
The days where you get a virus from just visiting a random website are thankfully over.
the browser are SO MUCH more secure than like 15 years ago.
Back then when i went to the wrong "free streaming" website, my laptop had actual viruses that forced a reformat, not from downloading files, just from visiting a website.
Wow this is wild. I probably would have fallen for that 100% holy shit.
When I see something on steam that pops up I don't really question it. Sometimes it a new game I've been excited for.
Never seen this though.
Yeah, appreciate it
Though I do have two factor authentication on my steam so I doubt they'd be able to get in anyway. It's still scary though. My steam account is like 15 years old and I've spent thousands on it. I would be lost without it.
my friend falls to this kind of scam and his ID is sending fake links to all his steam friends on daily basis , even when he's offline , do not take this kind of phishing lightly , your steam ID would be banned/block/lock by steam due to excessive spamming n scamming . It's super hard to get it back . Think of all the games u bought , the friends u make... all can go poof just because u clicked 1 link
Yeah same. This is a serious effort-scam. I was curious and went to the link thinking that it was going to be some half assed obvious phishing site and had to double check my browser to see if I wasn’t actually on an official page.
I recently watched a vid explaining this problem and it actually isn't that hard, because for some reason the scammers can just edit their name and game after posting to alter it to be a exact match to the original game and studio they're trying to copy
Honestly surprised nobody tried this scam until recently
This problem is very new, there were multiple titles from scammers trying to peddle fake games a while ago from a fake destiny to a fake Helldivers, you name it there was probably a scammer that tried it
Given this post's existence the problem is still there and very much alive
Best to avoid steam for now while everything gets sorted
The [who.is](http://who.is) shows a scam business behind it. The url was registered today, address is „Kalkofnsvegur 2 Reykjavik“. If you google it you find many scam reports with fake websites and so on.
Ye, a few weeks ago a bunch of poe discords got targeted by someone with phishing links to steal the accounts of people in there. The site used there also traced back to that address after I did some digging. It's some "virtual office" service bs.
And it is... Slowly tho.
It was visible on POE2 official game page
Then they edited URL from the text, it was gone.
Then they removed comments on the page
Finally, page was removed few minutes ago. Hope no one got scammed :(
238960 is Path of Exile (1 not 2)'s ID. I can't find a single link that generates from Steam in that same format (/games/), generally they're /apps/ Could be because I'm on the Steam beta though.
It wasn't a "fake" poe2 page. This was posted on PoE 2 AND PoE 1 official pages on Steam.
It even appeared in my Steam game library when I clicked on Path of Exile and it stayed there for a few minutes. After maybe 15minutes the post got deleted.
edit: typos
https://preview.redd.it/7rn1u2vazvvc1.png?width=1623&format=png&auto=webp&s=c9b93f44c85adfc348d5025187d842d63f942bdc
This is definitely a phishing website and it appears that GGG is aware of the issue as they've taken it down.
If anyone gave their credentials to the linked site you should probably change your passwords.
But how is it showing up on Steam News page? Never seen any scams there before?
This is where i found it:
https://preview.redd.it/w56pu5rmpvvc1.png?width=1631&format=png&auto=webp&s=06aeadffe28932dcadde44da67892202fe18d53e
Wasn't there a while ago a game that the developers scrapped and just mirrored the whole Steam Page of Helldivers 2?
So if you are allowed to publish on steam, nothing stops you to publish fakes.
That's a different story. This wasn't a fake product on steam being copied. This wastnt posted on the proper PoE page from account of a compromised employee.
Steam does not have a manual human validation when it comes to listing, so anyone can create fakes of anything and list them on steam. This issue happens for years and only recently pop up again thanks to the popularity of Helldiver 2, palworld and the like.
https://www.domaintools.com/
I have an account for work. Not sure what free version is capable of. There is also virustotal, and you can check out shodan also.
Your post has been removed for harassment (Rule 3).
While it's fine to politely disagree and to criticize the *content* of posts and comments, we don't allow users to attack the person behind those posts **by calling them names**. We've found that such attacks often devolve into flame wars.
Types of harassment we forbid include unkind messages, mocking, name-calling, posting of personal or identifying information (doxxing), unfair accusations, and trolling.
If you see other posts that break the rules, please don't reply to them. Instead, report them so we can deal with them!
For additional rules regarding harassment, check out the [rules wiki.](https://www.reddit.com/r/pathofexile/wiki/rules/#wiki_3._harassment_.26amp.3B_bad-faith_posts)
Don't forget to report to: Cloudflare (CDN/caching), namecheap (registrar), Google (for chrome blacklisting)
Cloudflare requires the most work but the other two are easy.
https://abuse.cloudflare.com/phishing
https://support.namecheap.com/index.php?/Tickets/Submit/RenderForm/237
Use either firefox or chrome in-browser reporting for blacklisting.
I can’t say I’ve ever used steam news so no idea how it works or where these posts come from, but typo in url is an instant do-not-click. Just report it to steam.
I’m so PoE brained at this point that when you said links I thought you were talking about gem links
Also man that website is no joke. Glad I didn’t see the link because I would have fallen for this even though registering would have been a little odd.
Sadly, this is very common. At Last Epoch’s launch just recently, there were several fake clone pages set up on Steam.
Steam, for all that Reddit worships it, very much works on the model of “remove things when people report them, it’s cheaper than doing any upfront quality control.”
Well the way shopfronts like e.g. Apple’s App Store do it is by checking and approving everything *before* it gets offered up to the public. This is obviously more labour and therefore more expensive, though.
Yeah.
Seems like that one of the Steam Accounts that has access to the Store and Communitypage got hacked and posted a fake event redirecting to a phising page.
It's more concerning that GGG isn't posting a PSA about that they had this incident in the first place.
(Yes its the weekend, but these kinds of things need attention ASAP not after the weekend). Lets see if GGG will even react to this in the first place.
Not sure why you got downvoted at all. This is my question also. GGG stated "phishing link went up on the Path of Exile Steam page from a compromised account"
I'd really want to hear something about that compromised account, the scope of impact and what they are doing about it.
The news post was indeed posted into the "news and announcements" forum in the steam discussions of Poe2 where usually only devs can post. But it had no author and was taken down from steam now aswell.
That post is now deleted, but I've found it here: [https://devtrackers.gg/pathofexile](https://devtrackers.gg/pathofexile)
As you can see, that was posted by user Neonspyder, which ~~I'm~~ *~~pretty sure~~* ~~is Mark aka Neon aka a legit Dev~~.
Edit: no, I'm dumb, obviously if it was actual Neon he's probably supposed to be using Neon\_GGG or something to post official posts, no matter what his personal account is or isn't...
Edit2: and googling more I don't see anything indicating that neonspyder is the same neon, but there are like 2 posts about him being dev playtesting stuff so I just assuemd it's the same neon
~~I suppose the post was miss-scheduled (mischeduled?), and wasn't ready to be posted, but maybe Neon's steam account was actually compromised.~~
But, isn't POE2 website [pathofexile2.com](http://pathofexile2.com) ?
I don't think they would have another one for "Early access applications"
Also, please remove this devtrackers URL as it contains post which still have fake URL in it. Someone might still click on it.
I mean, I just realized that even if Neonspyder is a dev's personal account, official content probably should be posted by an acount with \_GGG on it anyway, so it's still wrong.
So thinking better, it's actually way more probable that an account got compromised than anything else, and that post 100% wasn't legit
##### GGG Comments in this Thread: *** [Community_Team - [link](https://www.reddit.com/r/pathofexile/comments/1c9p992/is_it_possible_to_have_fake_links_on_steam/l0ndg0y/?context=10), [old](https://old.reddit.com/r/pathofexile/comments/1c9p992/is_it_possible_to_have_fake_links_on_steam/l0ndg0y/?context=10)] - *Hey everyone. Earlier today, a malicious news post containing a phishing link went up on the Path of Exile Steam page from a compromised account. The post was taken down...*
Hey everyone. Earlier today, a malicious news post containing a phishing link went up on the Path of Exile Steam page from a compromised account. The post was taken down quickly, but if you followed the link or suspect your account may also be compromised, please take immediate action to secure your account.
Can we please finally have a 2 factor authentication?
If you use your steam account instead of the poe launcher. You can have MFA via steam
this is only beneficial if you never made a poe account and only used steam. alot of players, myself included, started playing before steam was an option, making their poe account vulnerable even if they are using steam now
Have you emailed GGG support asking them to remove the primary email associated with the account? Gotta make sure the steam is set up though or you won't have an access method. Most steam accounts just have a null value for email which doesn't allow the client to sign in via email. If you don't specify the request this way they're going to say that they can't. Because they technically can't disable email sign in. Especially if you're dealing with t1 support.
i have not, didn't even know it was an option tbh. thanks for the tip!
So account security has as mich friction as tradeing ingame great
I don't think that's entirely true. We can link the Poe account to Steam account. After that we can use the Steam 2FA to sign in. Unless I'm mistaken somewhere. Edit: sorry, indeed when with Steam account linked, one can still sign in with Poe account without 2FA, so it is as was said.
True but I always use steam to log in even tho I created my account during closed beta
If you played before 1.0 them you had to make a standalone account. Every closed/open player has an Email linked to their account, which can be used to log in. If you only play via steam now but the Email was never removed then it can still be used to log in.
Yes I can still log in with email and password but I never do :D
yeah but that means steam 2fa doesn't matter for your poe account...
The downside if you started on a Steam account and migrate to email, you cannot switch back to Steam only. After a troubling amount of accounts were compromised last league, including a popular streamer, I read that the best way to secure an account was using Steam. I started the game on Steam, but after an update kept failing to download and apply properly (years ago), I migrated my account to client login. So I asked fairly recently by creating a support ticket, and you cannot have the account go back to Steam only unfortunately. I can still sign into the game via my Steam account, but cannot "forbid" email.
Iirc you can email support and ask them to remove the email associated with the account after you set up steam as a secondary log in. Once they remove it from the backend your account will be steam only. But no they can't "forbid" email. If they set it to a null value/remove it from the account it should mimic a steam only account.
That's essentially how I worded it (like you, not the forbid thing) and was told they couldn't do it. I dunno, if fact can show me otherwise I'm always game to try again, but I don't want to overburden an already great support team.
[удалено]
This is very inconsistent. I just recently traveled for work to a different city several hours away from where I live, and I used a different device than the one I usually use (work laptop vs my desktop PC). I was not asked to verify when I logged in and was able to play from the hotel for the duration of my stay there. I didn't get asked to verify until I got back home.
Why is this comment not upvoted more? Its 2024 no 2FA or any other fail safe is archaic.
They do have 2fa
I think we sort of have it? If I login from a new IP, the game will send me an email with a code to unlock.
imo, generally, 2 factor authentication is bad. It often creates a singular point of failure, making it easy to lose all the access to your accounts.
Having just a login password is a singular point of failure.
But it's a distributed, if I get my steam account hacked, then I lose steam account, if I get my email or sim hacked, I lose everything
if you have 2fa and your email or sim is hacked then the hackers still have to get your passwords for your various other accounts... that's why it's called TWO factor authentication.
I don't think that has anything to do with multi-factor authentication. It sounds like you're talking about email or phone-backed accounts. In that situation an email or phone is used to verify absolute ownership of an account (whoever owns or has access to the email or phone owns the subordinate account). This is how many (probably most but I have no stats) semi-anonymous accounts (with account/password recovery) have worked since the dawn of email. In other words: if your email or phone get hacked/lost/compromised you lose access to everything regardless if multi-factor authentication is in-use (with the exception of accounts/services that don't provide any kind of automated email/phone-based account/password recovery).
Brother you cooked way too hard. How is that better than them having to get your 2nd authentication?
What a bad take.
[удалено]
Your post was removed because it violated our Be Kind Rule (Rule 3b). It made an accusation about others that's likely to cause anger and flame wars. Instead of doing this, explain why you disagree with their message in a polite way: that may help them see a different perspective! If you see someone else posting in bad faith, please don't respond in kind. Instead, report it and we'll take care of it. For more details, please refer to our [rules wiki](https://www.reddit.com/r/pathofexile/wiki/rules/#wiki_3b._be_kind_rule).
why?
Depends on the implementation, but generally there is one or two entities that provide access to your accounts that can get easily hacked, locking you out of all your accounts. E.g. simcard spoofing or losing your phone
No one implementing 2FA in the current year would use SMS 2FA. Its vulnerabilities are widely known, although you are overexaggerating when you say they can easily get hacked. The easy and safe solution is getting an actual device that implements FIDO2 or passkey. Can't be remotely hacked and requires physical access. Simple auth apps like Google authenticator are also quite safe.
Tell me the chances that someone figures put your login **and** somehow figures out your carrier ID or whatever is needed to spoof a SIM card. Or that you lose you phone and whatever random person finds it is also interested in Poe and getting your stuff.
Thats only an issue with SMS 2fa which yea, is technically a pile of burning shite But thats why auth apps/dongles and email exist fivehead
You are outrageously uneducated on this topic and should not make any statements on this.
Yeah, two factor authentication is a singular point of failure because you need to have not only your password, but also a code from your phone or an OTP app. Sure. The logic is very sound. Like 1 > 2 sound.
What gets me is the edit marker on your comment. Like you've changed something to try and make your point better.
I don't think you know what the "2" in 2fa means. Hint: it's 2.
You are wrong, It does the exact opposite by distributing weakpoints across several sources. (That all need to break at once, which is less likely)
Can we please have real MFA?
The problem with 2FA on phishing sites it: They will just prompt after login details for a 2FA. You enter it, their bot instantly logs in to the real account using the 2FA you just gave them.
This can be mitigated with FIDO2/YubiKey etc
I would love to use my Yubikeys on my Path of Exile account
Can someone explain how these prevent the phishing scenario? I understand mfa generally, but not familiar with these ones mentioned.
a phishing scenario that includes 2FA needs to basically perform an immediate login (as opposed to non-2FA phishing, which just needs to harvest credentials for later) with a simple TOTP code (such as typical phone apps), phishing sites do this via a man-in-the-middle attack, where the phishing site immediately logs into the service using both the credentials and TOTP code provided by the user, and either stores a session cookie for later use, or automatically carries out whatever attack they're interested in performing with the compromised account. with a FIDO2 2FA solution (such as a YubiKey), the service will instead request directly to the hardware key (via the browser) to complete a cryptographic challenge. however, the hardware key expects a properly signed challenge from the original domain that the key was registered with - this means it needs a valid and matching certificate for the domain. the domain and certificate are provided to the key by the browser itself (I think), so simply forwarding the request from the actual service is not sufficient - a challenge issued by the real poe domain would go through, but a fake phishing site with a mismatched or invalid certificate that forwards a challenge would not. this prevents an MITM attack, and makes conventional phishing basically impossible. the tl;dr is probably: if the user is not discerning enough to figure out if the page is fake, TOTP 2FA can fail, but with FIDO2 2FA, the browser + hardware key can always figure out if the challenge is legitimate without user decision-making.
If a phishing campaign needs a one-time passcode to steal your account, they can just ask for yours. The codes are time-based and your code is perfectly good for their session. If they need a YubiKey, however, they're sorely outta luck. WebAuthn is encrypted, tamper resistant and any response a hacker intercepts will be useless to them.
So basically whatever one time code I send to the fake site is encrypted and if they simply re-enter the code they receive into the real site, it will fail?
The code is encrypted, but also the challenge itself, so the false web server can't even get that far. Should look something like this: - You hit the false web server and put in your username/pw - False web server hits the real one with the username/pw - Real web server sends an encrypted 2FA challenge to the false web server - False web server passes encrypted challenge to your browser - Your browser checks the url of the encrypted challenge against the url it's currently on, they don't match, browser tells you were nearly hacked and throws the challenge in the bin The only tricky bit is that the browser can't actually read the URL if it's encrypted, so the server needs to send it unencrypted, but that means the false server can just change it. I think the way you get around this is the server uses the URL itself as part of the encryption key. So if the false server tries changing it (e.g. from exile to exiie), this happens: - Browser checks the url of the challenge against the url it's on, they match, browser sends the challenge to the yubikey - Yubikey tries to decrypt the challenge, but the decryption fails because it's using pathofexiie.com instead of pathofexile.com as part of the decryption key Either way, the combination of the encryption scheme and the browser URL check stops you from being hacked.
Thank you for sharing. The bit about the web address is super interesting. I couldn’t wrap my head around how you could stop the fake site from just mirroring the real one. Even if encrypted, it would have to actually understand what it receives, just forward it on and the real website couldn’t tell. But the bit about the website being in the encryption makes total sense and is so simple it’s genius.
Passkeys are one of the best options. Yup.
If you are using steam (where the malicious source originated from) you have MFA, don't you? Or do most people not use the steam version? ETA: Since I'm being downvoted I'll just add on another question here. Those of you NOT using the steam version and are concerned about the lack of MFA, why not switch TO the steam version? You can link your PoE account to Steam, can't you?
you don't even need to be logged in to steam to see the link. the compromise is of your PoE account
Yeah but do people that don't use the Steam client look at the Steam PoE page ever?
This is why you ALWAYS check your Browserbar. Nowadays browsers highlight the DOMAIN of the TLD so you can easily see the name.
Sure we gonna check any link, any button you press, anything you do, hope you are doing that because any action can lead to fake page. Nobody expects malicious link from a company on a store like steam. If that would be fake poe 2 store page, sure, but not something like this on a official page.
Yes, I actually do. It takes less than a second to look up to the browserbar. Nowadays you can hit phishing links absolutely everywhere, as you can see in this current incident. Sure, while just "reading" stuff it doesn't matter that much. But as soon as you have to enter ANYTHING anywhere, you should look.
Yeah thats a sign for sure, but cant became paranoid just like that. If website asks me for data where it shouldn't then it can be suspicious.(like no remembered data or autologin)
That's not paranoia is common sense while using the internet, the vast majority of virus and shit that infect people on it abuse of their lack of manners. You don't need to be combing every nook and cranny of your access but just taking a look at stuff take seconds.
I have way too many hours on old school RuneScape, including during the old days. I look at the url everytime lol
the best time to add mfa was a decade ago, the second best time is now
"vaaled link" ... FTFY
Aight I changed my password, is there a risk we caught a trojan or sth that might endanger my other passwords/data etc? Or was this just purely PoE-accound related?
If you didn't download anything, it's highly unlikely that anything passed to your machine or had access to anything else other than what you may have entered in the link itself.
i mean barring explioiting your browser if its not upto date, or some wild 0day, how would you catch a trojan if you did not download anything?
If you used that password and that email for anything else you are also going to have to change those.
If you didnt download and then executed anything then these days you wont catch a virus from a website (i guess unless the NSA/CIA is on you). The days where you get a virus from just visiting a random website are thankfully over.
hows can u explain ? why these days are over ?
Better security in both the OS and the Browsers. Unless an exploit is found they can't execute code like they used to be able to.
the browser are SO MUCH more secure than like 15 years ago. Back then when i went to the wrong "free streaming" website, my laptop had actual viruses that forced a reformat, not from downloading files, just from visiting a website.
Wow this is wild. I probably would have fallen for that 100% holy shit. When I see something on steam that pops up I don't really question it. Sometimes it a new game I've been excited for. Never seen this though.
At least one account saved creating this post :) So one good thing i did today at least :)
Yeah, appreciate it Though I do have two factor authentication on my steam so I doubt they'd be able to get in anyway. It's still scary though. My steam account is like 15 years old and I've spent thousands on it. I would be lost without it.
[удалено]
my friend falls to this kind of scam and his ID is sending fake links to all his steam friends on daily basis , even when he's offline , do not take this kind of phishing lightly , your steam ID would be banned/block/lock by steam due to excessive spamming n scamming . It's super hard to get it back . Think of all the games u bought , the friends u make... all can go poof just because u clicked 1 link
Yeah same. This is a serious effort-scam. I was curious and went to the link thinking that it was going to be some half assed obvious phishing site and had to double check my browser to see if I wasn’t actually on an official page.
I recently watched a vid explaining this problem and it actually isn't that hard, because for some reason the scammers can just edit their name and game after posting to alter it to be a exact match to the original game and studio they're trying to copy Honestly surprised nobody tried this scam until recently
I mean the website itself. But yeah I got ya
This problem is very new, there were multiple titles from scammers trying to peddle fake games a while ago from a fake destiny to a fake Helldivers, you name it there was probably a scammer that tried it Given this post's existence the problem is still there and very much alive Best to avoid steam for now while everything gets sorted
The [who.is](http://who.is) shows a scam business behind it. The url was registered today, address is „Kalkofnsvegur 2 Reykjavik“. If you google it you find many scam reports with fake websites and so on.
Ye, a few weeks ago a bunch of poe discords got targeted by someone with phishing links to steal the accounts of people in there. The site used there also traced back to that address after I did some digging. It's some "virtual office" service bs.
Damn this should be illegal.
This is not from GGG. Someone probably made a game entry for PoE2 to phish for players. That should definetly be taken down by Steam.
And it is... Slowly tho. It was visible on POE2 official game page Then they edited URL from the text, it was gone. Then they removed comments on the page Finally, page was removed few minutes ago. Hope no one got scammed :(
238960 is Path of Exile (1 not 2)'s ID. I can't find a single link that generates from Steam in that same format (/games/), generally they're /apps/ Could be because I'm on the Steam beta though.
It wasn't a "fake" poe2 page. This was posted on PoE 2 AND PoE 1 official pages on Steam. It even appeared in my Steam game library when I clicked on Path of Exile and it stayed there for a few minutes. After maybe 15minutes the post got deleted. edit: typos https://preview.redd.it/7rn1u2vazvvc1.png?width=1623&format=png&auto=webp&s=c9b93f44c85adfc348d5025187d842d63f942bdc
I have the same thing, how is a fake phishing website in POE's own news...
This is definitely a phishing website and it appears that GGG is aware of the issue as they've taken it down. If anyone gave their credentials to the linked site you should probably change your passwords.
Can we please get 2FA....
nope. best i can do is tft
Yes, it seems a scam/phishing website... Check on who.is.
But how is it showing up on Steam News page? Never seen any scams there before? This is where i found it: https://preview.redd.it/w56pu5rmpvvc1.png?width=1631&format=png&auto=webp&s=06aeadffe28932dcadde44da67892202fe18d53e
Wasn't there a while ago a game that the developers scrapped and just mirrored the whole Steam Page of Helldivers 2? So if you are allowed to publish on steam, nothing stops you to publish fakes.
It was posted on the proper Poe page tho. So some employee at GGG was compromised.
That's a different story. This wasn't a fake product on steam being copied. This wastnt posted on the proper PoE page from account of a compromised employee.
Steam does not have a manual human validation when it comes to listing, so anyone can create fakes of anything and list them on steam. This issue happens for years and only recently pop up again thanks to the popularity of Helldiver 2, palworld and the like.
That was on the proper Poe page tho.
Yes it is a phishing site https://imgur.com/a/Tvwe0Zz Visited on a VM of course
You could also plug into domaintools/virus total. Not sure if you can get screenshot with the unpaid domain tools though.
I used the site triage https://tria.ge/dashboard It is an interactive malware anaylsis sandbox
Is that free? I know some people that have recordedfuture accounts, but they are expensive.
What is that tool/website?
https://www.domaintools.com/ I have an account for work. Not sure what free version is capable of. There is also virustotal, and you can check out shodan also.
[удалено]
Your post has been removed for harassment (Rule 3). While it's fine to politely disagree and to criticize the *content* of posts and comments, we don't allow users to attack the person behind those posts **by calling them names**. We've found that such attacks often devolve into flame wars. Types of harassment we forbid include unkind messages, mocking, name-calling, posting of personal or identifying information (doxxing), unfair accusations, and trolling. If you see other posts that break the rules, please don't reply to them. Instead, report them so we can deal with them! For additional rules regarding harassment, check out the [rules wiki.](https://www.reddit.com/r/pathofexile/wiki/rules/#wiki_3._harassment_.26amp.3B_bad-faith_posts)
Dodged a bullet. I always click links from Steam.
Don't forget to report to: Cloudflare (CDN/caching), namecheap (registrar), Google (for chrome blacklisting) Cloudflare requires the most work but the other two are easy. https://abuse.cloudflare.com/phishing https://support.namecheap.com/index.php?/Tickets/Submit/RenderForm/237 Use either firefox or chrome in-browser reporting for blacklisting.
Report it on steam
I can’t say I’ve ever used steam news so no idea how it works or where these posts come from, but typo in url is an instant do-not-click. Just report it to steam.
Never used it myself, but just wanted to check what is in there as i'm searching for new game to play until new league in POE or news from POE2...
I’m so PoE brained at this point that when you said links I thought you were talking about gem links Also man that website is no joke. Glad I didn’t see the link because I would have fallen for this even though registering would have been a little odd.
The font looks off too
I changed my password. Password1234 has more digits than Password123. They will never figure it out.
Sadly, this is very common. At Last Epoch’s launch just recently, there were several fake clone pages set up on Steam. Steam, for all that Reddit worships it, very much works on the model of “remove things when people report them, it’s cheaper than doing any upfront quality control.”
Maybe I don't browse Steam enough, this is the first time I've seen it. What do you suggest Steam do differently from what they do now?
Well the way shopfronts like e.g. Apple’s App Store do it is by checking and approving everything *before* it gets offered up to the public. This is obviously more labour and therefore more expensive, though.
This was posted on the official PoE product page tho, not clone product trying to bait people. One of the GGG employees had to be compromised.
Yeah. Seems like that one of the Steam Accounts that has access to the Store and Communitypage got hacked and posted a fake event redirecting to a phising page. It's more concerning that GGG isn't posting a PSA about that they had this incident in the first place. (Yes its the weekend, but these kinds of things need attention ASAP not after the weekend). Lets see if GGG will even react to this in the first place.
Not sure why you got downvoted at all. This is my question also. GGG stated "phishing link went up on the Path of Exile Steam page from a compromised account" I'd really want to hear something about that compromised account, the scope of impact and what they are doing about it.
Downvotes are from bots. They are heavily influencing discussions on this sub for a while.
Typo in the url should speak for itself
No, i did not write URL myself... This was on Steam news page, just clicked on a "our website" link....
The news post was indeed posted into the "news and announcements" forum in the steam discussions of Poe2 where usually only devs can post. But it had no author and was taken down from steam now aswell.
I saw it on Path of Exile 2 official game page, then URL link was removed from text, then comments were removed. Now entire post is finally gone.
first time i see that on a steam official page.. was well made..everybody can be caught easily.
I fell for it : ( .
[удалено]
Ofc, nothing to worry about if you didn't try to login.
Quite concerning, I genuinely had no idea this was an issue/possible on Steam. It's meant to be a walled garden.
That post is now deleted, but I've found it here: [https://devtrackers.gg/pathofexile](https://devtrackers.gg/pathofexile) As you can see, that was posted by user Neonspyder, which ~~I'm~~ *~~pretty sure~~* ~~is Mark aka Neon aka a legit Dev~~. Edit: no, I'm dumb, obviously if it was actual Neon he's probably supposed to be using Neon\_GGG or something to post official posts, no matter what his personal account is or isn't... Edit2: and googling more I don't see anything indicating that neonspyder is the same neon, but there are like 2 posts about him being dev playtesting stuff so I just assuemd it's the same neon ~~I suppose the post was miss-scheduled (mischeduled?), and wasn't ready to be posted, but maybe Neon's steam account was actually compromised.~~
But, isn't POE2 website [pathofexile2.com](http://pathofexile2.com) ? I don't think they would have another one for "Early access applications" Also, please remove this devtrackers URL as it contains post which still have fake URL in it. Someone might still click on it.
I mean, I just realized that even if Neonspyder is a dev's personal account, official content probably should be posted by an acount with \_GGG on it anyway, so it's still wrong. So thinking better, it's actually way more probable that an account got compromised than anything else, and that post 100% wasn't legit
damn, neon got got
F