Steam phishing scam promises free Discord Nitro — don't fall for it

News
By published

Don't fall for this Steam swindle

Steam website
(Image credit: Photo Oz | Shutterstock)

A new phishing scam tries to steal your Steam credentials by promising a free month of Discord Nitro, which is worth a whopping $9.99.

But it's a trick, said Malwarebytes' Jovi Umawing  in a blog post yesterday (Nov. 2). The phony Steam sign-in pop-up on the Discord page doesn't do anything except make off with your Steam username and password.

If you have no idea what we're talking about, Steam is a very popular online platform that sells PC (and Mac and Linux) games. Discord is a messaging platform that's very popular among people who play online games. Discord is basically free, but there's a subscription tier called Nitro that brings extra benefits and costs $9.99 per month or $99.99 per year.

Naughty Nitro offer leads nowhere

Umawing explained that Discord users will see a random direct-message pop up in their feed promising a free month of Nitro: "Just link your Steam account and enjoy," the message says.

Never mind that Steam and Discord are different companies and normally wouldn't be giving away each other's stuff. Click on the embedded link, Umawing said, and you'll be taken to what looks like a real Discord page with a big fat purple button in the middle labeled "Get Nitro." 

That in turn generates what looks like a Steam sign-in window, but as Umawing noted, "it's actually not a separate window but a part of the website itself."

If you do log into the fake Steam login window, you'll be told that the login attempt failed and that "the account name or password that you have entered is incorrect," whether that's true or not. No matter — the scammers now have your Steam username and password and can do with them what they will.

The links to these phishing pages seem like something that might be legitimate: discord-nitro.com, appnitro-discord.com, discord-steam-promo.com and so on. Umawing said there are more than 100 of these bogus web addresses waiting to lure in online gamers. 

We tried out one of these malicious URLs and were redirected to a site that wanted us to install a Chrome browser extension to continue. No thanks — dodgy extensions are one of the most dangerous things to install in a browser, as they can steal passwords, spy on your browsing history and so on.

How to protect your Steam account

To avoid being taken in by this scam or similar ones, the first thing you want to do is enable two-factor authentication on your Steam account. Steam does this through the Steam mobile app, which contains a one-time-passcode generator called Steam Guard that you must use when you log into Steam from a new device.

Make sure your Steam password, and your Discord one as well, are long, strong and unique. Here's how to make a strong password. You should also consider using one of the best password managers to keep track of all those passwords.

See more Gaming News
TOPICS
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A magnifying glass on top of the Steam logo in a web browser
Valve recommends a full PC reset after malware-infected game discovered on Steam
Discord on a phone and a laptop
Reported Discord data leak disputed by third-party service RestoreCard
PayPal logo on iPhone
Watch out! Scammers are using this PayPal setting to take over your PC
A hacker typing quickly on a keyboard
Hackers can steal your accounts, and all it takes is a double-click — don’t fall for this new form of clickjacking
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
Latest in PC Gaming
Half-Life 2 RTX
I just went back to Ravenholm in Half-Life 2 RTX — Nvidia’s new RTX remix tech makes it 10x more terrifying
Nvidia ACE
I played with Nvidia's AI NPC prototypes — now they're real, and I fear I'll never finish a game again
Half-Life 2 RTX demo from Orbital Studios
Nvidia launches RTX Remix with new tools to help modders upscale old games with DLSS 4
AMD Radeon RX 9070 XT
Where to buy AMD Radeon RX 9070 and RX 9070 XT — I recommend these retailers in US and UK
Alienware Aurora R16
11 insider tips to make your games fun faster (without a new GPU)
nvidia rtx 50 series
Where to buy RTX 5070 Ti — live updates and stock checker
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Tuesday, March 25 (#653)
A first look at Amazon's Fallout TV series coming to Prime Video
‘Fallout’ season 3 plans are reportedly being made — while season 2 is still filming
Surface Laptop 7 from the front
Amazon just gave Surface Laptop 7 a 'frequently returned' label — here's what's going on
New emojis with iOS 18.4 beta release.
iOS 18.4 beta brings 8 new emoji to your iPhone — here's all the new options
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
half-life alyx
Latest Half-Life 3 rumors point to a 2025 release — and maybe pigs will fly
More about pc gaming
Half-Life 2 RTX

I just went back to Ravenholm in Half-Life 2 RTX — Nvidia’s new RTX remix tech makes it 10x more terrifying
Nvidia ACE

I played with Nvidia's AI NPC prototypes — now they're real, and I fear I'll never finish a game again
Dyson Airstrait lifestyle images

Dyson Airstrait review: wet-to-dry straightener delivers frizz-free shine in minutes, at a price
See more latest
Most Popular
NYTimes Connections
NYT Connections today hints and answers — Tuesday, March 25 (#653)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #387 (Tuesday, March 25 2025)
Two members of our review team photographed during a pressure relief test on the Saatva Classic mattress, with one typing notes into a laptop and the other measuring the amount of sinkage caused by a 56lb cast iron weight being dropped into the middle of the Saatva Classic mattress
People with this bed type are most satisfied with their mattress — and it’s not what we expected
A first look at Amazon's Fallout TV series coming to Prime Video
‘Fallout’ season 3 plans are reportedly being made — while season 2 is still filming
New emojis with iOS 18.4 beta release.
iOS 18.4 beta brings 8 new emoji to your iPhone — here's all the new options
Surface Laptop 7 from the front
Amazon just gave Surface Laptop 7 a 'frequently returned' label — here's what's going on
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
half-life alyx
Latest Half-Life 3 rumors point to a 2025 release — and maybe pigs will fly
NFL Sunday Ticket logo for YouTube
NFL Sunday Ticket 2025 pricing revealed — and it's bad news
Russian flag with padlock smashing through glass
47 VPNs could be axed from Google Play Store following Russian demands