A new phishing scam tries to steal your Steam credentials by promising a free month of Discord Nitro, which is worth a whopping $9.99.
But it's a trick, said Malwarebytes' Jovi Umawing in a blog post yesterday (Nov. 2). The phony Steam sign-in pop-up on the Discord page doesn't do anything except make off with your Steam username and password.
- Android scam apps with 10M downloads deleted by Google — what to do
- The best Steam games to play right now
- Plus: PS5 restock sold out at Walmart — where to find inventory next
If you have no idea what we're talking about, Steam is a very popular online platform that sells PC (and Mac and Linux) games. Discord is a messaging platform that's very popular among people who play online games. Discord is basically free, but there's a subscription tier called Nitro that brings extra benefits and costs $9.99 per month or $99.99 per year.
Naughty Nitro offer leads nowhere
Umawing explained that Discord users will see a random direct-message pop up in their feed promising a free month of Nitro: "Just link your Steam account and enjoy," the message says.
Never mind that Steam and Discord are different companies and normally wouldn't be giving away each other's stuff. Click on the embedded link, Umawing said, and you'll be taken to what looks like a real Discord page with a big fat purple button in the middle labeled "Get Nitro."
That in turn generates what looks like a Steam sign-in window, but as Umawing noted, "it's actually not a separate window but a part of the website itself."
If you do log into the fake Steam login window, you'll be told that the login attempt failed and that "the account name or password that you have entered is incorrect," whether that's true or not. No matter — the scammers now have your Steam username and password and can do with them what they will.
The links to these phishing pages seem like something that might be legitimate: discord-nitro.com, appnitro-discord.com, discord-steam-promo.com and so on. Umawing said there are more than 100 of these bogus web addresses waiting to lure in online gamers.
We tried out one of these malicious URLs and were redirected to a site that wanted us to install a Chrome browser extension to continue. No thanks — dodgy extensions are one of the most dangerous things to install in a browser, as they can steal passwords, spy on your browsing history and so on.
How to protect your Steam account
To avoid being taken in by this scam or similar ones, the first thing you want to do is enable two-factor authentication on your Steam account. Steam does this through the Steam mobile app, which contains a one-time-passcode generator called Steam Guard that you must use when you log into Steam from a new device.
Make sure your Steam password, and your Discord one as well, are long, strong and unique. Here's how to make a strong password. You should also consider using one of the best password managers to keep track of all those passwords.
