fickle hound
Today I was added on steam by 76561199057335745
(hxxps://steamcommunity[.]com/profiles/76561199057335745/)
He proceeded to message me a wave emoji, asked if i wanted to play dota as he had a 4 man group and invited me a discord call.
After which they proceeded to tell me i needed to sign up for FACEIT, to which they referred me to go here
(hxxps://www.faceit[.]com/en/organizers/10a44fb9-84f6-4729-ab72-146cf0fe3cfc/BT
from here they asked me to click the social button, which took me to hxxps://www.twitch[.]tv/faceitorganizer/about
where the buttons there took me to another page
hxxps://faceit.v2mainconnect[.]com/
where the page then attempted to steal my creds by doing a trusted bounce.
Escalation Path
Steam → Discord (invite),
Discord → FACEIT > FACEIT "organizers", (BT)
Redirect to Twitch: twitch[.]tv/faceitorganizer,
Twitch profile banner → external redirect → hxxps://faceit[.]v2mainconnect[.]com,
Detection
• Suspicious domain: faceit[.]v2mainconnect[.]com
• Fake Steam OpenID redirect:
hxxps://steamcommunity[.]com/openid/loginform/...return_to=hxxps://oldlsssq[.]si/...realm=hxxps://gfkylxei[.]ka
• Malicious redirect domains: oldlsssq[.]si, gfkylxei[.]ka
• Cloudflare Radar scan: hxxps://radar.cloudflare[.]com/scan/ffff0b8f-e662-4899-bf2d-01a0e11f4a54/network
• Not a legitimate FACEIT domain: faceit[.]com
Indicators of Compromise (IOCs)
• Primary domain: faceit[.]v2mainconnect[.]com
• Steam profile: 76561199057335745
• Twitch account: faceitorganizer
• Redirect domains: oldlsssq[.]si, gfkylxei[.]ka
Notes
Likely credential harvesting / malware delivery campaign.
Multi-platform chain: Steam → Discord → Twitch → Fake FACEIT site.
Trusted Bounce
Browser Poisoning
Flow: User sees real Steam login → trusts it → after success, Steam redirects to attacker site with OpenID response → attacker page asks for API key / trade confirmations / wallet codes.