Originally posted by Champelliot:

TF2 is about vanity first and gameplay second

As a veteran, I respectfully disagree

Originally posted by AK87:

and u can code java drive by scripts which will disable the prompts it just requires u too find exploits in the browsers

I wouldn't call that a classic drive-by download (please let's not go into that discussion). It's more similar to using (0-day) exploits in Java and Flash. They would get patched very quickly anyway.

There might be ways to obfuscate your drive-by download, but that does not mean you get infected simply by visiting a website without you doing anything (stupid).

I doubt your advanced black hat hacker that might be able to do these kinds of sophisticated attacks, concerns himself with stealing Steam accounts.

The threat we face here is simple phishing and the occasional FreeHat.exe download.

Originally posted by Revobase:

Get an add blocker.

He knows that already and it's not solving the problem, only creating a new one for OP.

Originally posted by AK87:

B: java drive by attack on the other hand is different, java drive by works like this;
hijacker sets up an webpage, he then in the index.hmtl adds a piece of coding with a url to his .exe (which can be a stealer / rat / keylogger whatever he wants as long as it is executeable.

then what happens is that he just needs to post this link ;
http://www.Hijacker.JavaDriveByAttack.com/index.html <----- fake link dont know if it exist :P

normally u would be prompted to run this Java Script, if u accept and click "run" then the java drive by downloads the .exe from the html and executes it without the victim even knowing what hit him and the site would either redirect or just stay on that specific site "keep loading"

if the hijacker also codes and is pretty decent he can remove the the prompt for run and then u pretty much fucked if u press the link :)

Just a few remarks.

Java is not the same as JavaScript. You don't need a Java Applet (or JavaScript) to do drive-by downloads. However you download that .exe, you still actively have to execute it yourself. Not much difference to directly downloading a "FreeHatGenerator.exe".
There is no JavaScript that can "remove the prompt" to execute a download.

A Java or Flash 0-day exploit is a different story, but needs way more skill to set up, is only relatively short lived and very expensive to set up (because 0-day exploits are sold on the black market).
0-day exploits use vulnerabilities (in Java or Flash) to break out of the Sandbox and execute machine code directly without the user knowing. There is no .exe you have to execute manually involved.

But if you update your stuff regularly, like you always should and is done automatically in most cases anyway, the risk of "finding" a Steam hacker that can use a 0-day exploit to hijack your account is pretty slim. I have never heard of such an attack in conjunction with Steam account hijacking (but I also haven't tried hard to find it).

But 0-day exploits are the reason why I have disabled my Java Plugin and use Flashblock.

Originally posted by plutarhs12:

IF this is going to be rejected then i am pretty sure, i will make a ALT and this one wont be for normal trading.

http://www.tf2outpost.com/trade/7792558

How stupid can you be? GTFO!

Hmm, I would say the forum is the right place for that, not a trade. But idk, may be a bit of a grey zone here.

I personally wouldn't mind a whitelist, but then that needs to have some flexibility to add new sites. Also the list has to be published somewhere.
I guess that list would need to be modifiable by mods / admins (e.g. based on forum suggestions), not only Sneeza.
I can already see the complaints like "but I use tinypic, not puu.sh, why can't I link that..." or "I use stats.tf, not tf2stats.net". I guess you catch my drift...

Originally posted by norby89:

Originally posted by Uranium235:

But that is not the case. I visit these sites when I see them regularly (out of "professional" curiosity), and my account is still solely under my control.
The victim has to be active in order for a phishing attack to be successful, not just passive.

Not necesserily. If the attacker can exploit a vulnerability in a browser (I'm sure you've heard about the Java 0-day exploit) and he can gain access to your computer and read say a session cookie (I do hope it's not that easy but it's just an example) then he might use your account without you even noticing.

k, my last comment. That is not a phishing attack. A hole lot harder to use 0-day exploits than just simple phishing - like a completely different world. And that would not make a bit of difference in terms that the evil will always be a step ahead of you much more quickly than you can keep up.

Education is the best defense!

Originally posted by EMP{Shocktrooper}TF2 walmart:

not if its a automated script and he just gets a different vps or something or requests a different ip for his server when its banned cause hes making a crap ton of tf2 items with all of this phishing

I'm sorry, but that makes no sense (given the context). I'm done here, this time for real.

Originally posted by norby89:

but if it can hijack your account by simply visiting it and then spread it like a virus, you see the problem?.

But that is not the case. I visit these sites when I see them regularly (out of "professional" curiosity), and my account is still solely under my control.
The victim has to be active in order for a phishing attack to be successful, not just passive.

Originally posted by norby89:

one step ahead and not let those links posted at all

You are always behind in this game. Compare with SPAM filters.