in Gaming

‘Browser-in-the-browser’ phishing stealing Steam accounts

Stock Photo, tags: browser-in-the-browser phishing steam - cdn.pixabay.com

A new type of scam on Steam was reported this week, where hackers would use a new phishing method called browser-in-the-browser to steal users’ credentials. Attackers were reported to target competitive and successful gamers by luring them via direct messages to sign into a fake tournament website. Users would then fill in their Steam credentials along with the two-factor authentication codes.

This method has grown more popular among attackers on the platform. It utilizes a fake browser window and fake registration pop-up, which is carefully made to look legitimate. Aside from Steam, this method has also been used to target other online services, including Google and Microsoft, to steal valuable information, such as credit cards.

While this method might be new on Steam, the phishing kit was first reported in March this year after a fake browser pop-up window had been made for Google and Microsoft accounts. The goal of stealing a well-known Steam account is to sell it to interested users. Reports noted that prices varied but might reach above $100,000 each for a popular account.

New phishing method on Steam

Phishing scams are nothing new in video games. Gamers are already well-versed in not clicking any suspicious links, especially when sent via direct messages. However, phishing methods have evolved throughout the years. The best example would be the complex browser-in-the-browser phishing technique.

According to Singapore-based security firm Group-IB, the new phishing technique came out of nowhere earlier this year, with an online security researcher with the moniker mr.d0x being the first to describe the method in detail in March. Explaining the new malicious attack, mr.d0x wrote that it mimics the authentication pop-up often found whenever users try to log into a website either via Google, Microsoft, or Apple.

The browser-in-the-browser technique did not only replicate an entire website, but also this pop-up browser window. For the naked eyes and those unfamiliar with basic computer programming, differentiating between a real and fake pop-up window would be difficult since the method makes the two barely distinguishable.

This method was then used by attackers to lure in professional gamers and invite them to sign into a tournament via direct messages on Steam. The fake pop-up window has its own pseudo-security certificate. Also, like the real ones, it can be moved around and minimized and even supports other languages.

“To lure victims to a bait webpage that contains a login button, threat actors send messages to users offering various appealing offers: to join a team for an LoL, CS, Dota 2, or PUBG tournament, to vote for the user’s favorite team, to buy discounted tickets to cybersport events, and more,” Group-IB wrote.

Bleeping Computer wrote that the browser-in-the-browser method uses JavaScript. Therefore, an early measure can be taken by gamers by using a script-blocking extension that prevents the code from running.

Group-IB added that there were over “150 fraudulent resources mimicking Steam” and there had been examples of Steam users who had more than 100 games on their account library ended up losing their accounts to phishing.