Published on: September 14, 2022
Hackers launched attacks to steal Steam login credentials while using an increasingly popular Browser-in-the-Browser phishing method.
This trending attack technique involves creating false browser windows within the active window, while making it appear as a sign-in pop-up page for a targeted login service.
On Monday, cybersecurity researchers from Group-IB published a report on this topic where they explained how a recent hacking campaign ‘Browser-in-the-Browser’ method targeted Steam users, most notably the accounts of professional gamers.
The threat actors looked to sell access to those Steam accounts, with some more prominent ones valued between $100,000 and $300,000.
Group-IB reported that the phishing kit used in the Steam campaign isn’t widely available currently in hacking forums or dark web markets. It’s instead used privately by hackers that gather on Discord or Telegram channels to coordinate their attacks.
Potential victims are targeted with direct message invites on Steam to join a team for League of Legends, Counter-Strike, Dota 2, or PUBG tournaments.
The shared links by the threat actors then bring the targets to a phishing site for what looks like an organization sponsoring and hosting esports competitions.
In order to join a team and play in a tournament, the victims are requested to log in with their Steam accounts. However, instead of being an actual browser window overlaid over the existing website, this new login page window is a fake window created within the current page. This makes this page very difficult to spot as a phishing attack.
The landing pages also support up to 27 languages, detecting the language from the victim’s browser preferences in order to load the correct one.
After entering their credentials, the victims are then prompted to enter the 2FA code. If this step is unsuccessful, an error message is displayed.
However, if the authentication is successful, the victims are then usually redirected to a legitimate address in order to lower the chances of them identifying the attack.
At this point, the victim’s account credentials have been successfully stolen and sent to the threat actors.