Steam users warned of sophisticated browser-in-the-browser phishing attack

midian182

Posts: 8,335   +103
Staff member
In brief: Steam users are being warned about a new attack tricking people into handing over their account credentials via a browser-in-the-browser phishing technique. Competitive and professional gamers are being targeted, as is anyone with a high-value account.

The attacks, highlighted by Group-IB (via Bleeping Computer), use the browser-in-the-browser technique to make a phishing lure appear genuine. The process starts when a target, usually a competitive or pro gamer, receives a direct message inviting them to join a tournament for the likes of League of Legends, Counter-Strike, Dota 2, or PUBG.

The message is a ruse, of course. The sender includes a link to a professional-looking site of what appears to be an e-sports company that hosts and sponsors tournaments and other competitions. Requesting to join the platform will bring up the familiar pop-up window for logging into Steam. The window is pretty much indistinguishable from the real thing, complete with a selection of 27 languages, an SSL security certificate, a legitimate URL, and a 'create account' option. It can even be moved around, resized, and maximized/minimized.

But this isn't a real sign-in pop-up overlaid onto the current website; it's a fake window created from the existing page. After a victim enters their credentials, they're taken to a working Steam Guard form asking for a 2FA code (if enabled), adding to the scam's authenticity.

Even if a user starts getting suspicious at this point, it's too late as the scammer grabbed their credentials once they were entered into the fake login window. The criminals are now free to pilfer any virtual goods and do whatever they want with the full account access.

One method of ensuring you don't fall for a browser-in-the-browser phishing attack is to use a JavaScript blocking extension—the scam uses JS—though blocking scripts can cause issues with many websites.

The other, less intrusive protection methods include those that apply across the entire online space: be wary of direct messages from strangers and don't click on any links they may contain; and if something seems too good to be true, it almost certainly is.

Permalink to story.

 

trgz

Posts: 417   +197
"usually a competitive or pro gamer, receives a direct message inviting them to join a tournament for the likes of League of Legends, Counter-Strike, Dota 2, or PUBG." - I'm safe then
 

DSirius

Posts: 368   +773
TechSpot Elite
Good to know, if any users fall to this scam, they can contact Steam support and ask them to help them regain access and control of their own Steam account. They will have to offer some proof of identity to Steam support and after Steam will check this will reinstate the access and control of it.
 

Lionvibez

Posts: 2,736   +2,581
I've seen this attack done just via regular people once one person falls for it. It will just start messaging other people on your friends list with the same fake sign in page.