An unreasonably sophisticated phishing attempt

Max Baumann

The other day I used CSGO's "looking to play" feature and nearly lost my steam account in the most unreasonably sophisticated phishing attempts I have ever seen.

SoloQ is a pain, so when I want to play a CSGO MM I make great use of the "looking to play" feature that was added somewhat recently. After declining the usual 5-10 silver and gold nova lobbies that invite you another Global (alone) shot me an invite and I joined him.

He sent me an invite to a discord server with the name "cs​.​money FACEIT CUP" or sth like that, where I joined a voice channel with him (he was alone). His "friend" added me on faceit and the dude on discord told me to join a faceit hub with the name "NOVEMBER CSMONEY HUB [OFFICIAL]". It is organized by a player called "csmoneyoff" and not the CS.​MONEY Organizer, which was a red flag to me.

This faceit hub was invite only (and only had one member, the organizer). On discord I was told to go to the rules page and click the link to get an invite. The link looked like faceit​.com/csmoney, but had an href to faceit-connects.​com another HUGE red flag. On that site, which looked like a 5 y/o used a website generator and added some faceit logos there was a call-to-action button. When clicked you are redirected to a page that looks like the steam openid page (the one you use to authorize third parties), but you are still on the connects domain.

At this point I told him "nice try" and blocked him. I took the time and reported the user who organized the faceit hub as FACEIT does not allow you to report a Hub (Why?) but the account and the Hub are still online. I also reported the domain to cloudflare, which now give you a "Warning: Suspected Phishing Site Ahead!" page when you visit the site. They also informed the hoster (rusonyx.​ru) which did not yet get back to me.

The hub has 360 followers, let's hope they are all aware enough and did not give away their steam accounts. Update: The hub now links to a different phishing domain with the same page. And it's registered to Pablo Escobar? Screenshot of Whois Entry

It has a phishing warning now, but they have switched to another domain already. I'll keep reporting.

Screenshot of Cloudflare's Phishig Warning