"How does the fraudster actually access the account? I have mobile authenticator enabled?!
You may attempt to log into one of these fake sites, under the impression that you're visiting the real deal. There's no shame in admitting that, plenty of smart people have fallen for it.
There are a number of tricks scammers have used to make fake-looking Steam login pages, but one of the more recent is a rather convincing fake popup.
If you enter your username and password, they won't be passed directly to Steam. Instead, they'll be sent to a remote server or computer, where the scammer will automatically try and log themselves in with the information you entered.
If you provide incorrect information, the server will pass that back to you, showing you Steam's invalid details error message, just like you'd expect from the real Steam login page.
If you provide the correct information - which the phishing site can tell by trying your password - the server will then ask for your mobile authenticator code in a realistic-looking second dialog asking for your code. If you enter your code (please don't), the server uses it to fully log in to your Steam account.
NOTE: These scammers won't be able to directly confirm trades as they don't have access to your mobile authenticator, but as we'll see, they can effectively work around it.
What happens once the scammer has access to your account?
Once the fraudster has access to a Steam account, they generate a Steam API key for the Steam account. They no longer need to be logged into your Steam account at this point, but they may still remain logged in as a fallback option. Scammers count on victims not knowing what an API key is, much less that Steam has them or the level of control over your account such keys provide.
Using your API key, among other things, the scammer can accept (but not confirm), decline, and cancel trade offers automatically, and they can continue doing this forever."
This must be the key.
I dont know if he did any or that or will admit, but after looking around alot, this is still the only option I know.
I could also bet he uses chrome. Those scams look alot more real with chrome.