The theft of Steam accounts, like that of other massive game services, is the order of the day and since Group-IB have detailed the latest malicious campaign that uses a phishing technique known as Browser-in-the-Browser which is gaining popularity among hackers.
This technique is an attack method that involves creating fake browser windows within an active window, posing as a legitimate login pop-up page for a given Internet service. The objective is steal user credentials.
Although no one is safe because the same technique can be used against any user and service, the Steam campaign at hand is preferably looking for professional players whose accounts can be worth a whopping $100,000. Potential victims receive direct messages on Steam, inviting them to join a team for LoL, CS, Dota 2, or PUBG tournaments.
The links will lead targets to what appears to be an organization that sponsors and organizes esports competitions. It really is a site controlled by the assailants and very well done according to the investigation. The landing pages support 27 languages, detecting the same one from the victim’s browser preferences and loading the correct one.
Once the victim enters their credentials, a new form asks them to enter the 2FA code. If authentication is successful, the user is redirected to a specified URL controlled by the hackers’ command-and-control server, usually a legitimate address to minimize the chances of the victim noticing the scam.
In this point, the victim’s credentials have already been stolen and changed passwords and email addresses to make it harder for victims to regain control of their accounts.
Stealing Steam Accounts Beware!
The attacks Browser-in-the-Browser are difficult to detect because the additional URL created looks legitimate as the attackers are free to display whatever they want, not being a browser window but just a rendering. The same applies to the lock symbol on the SSL certificate that indicates an HTTPS connection, creating a false sense of security for victims. But like other malicious campaigns all part of the same, phishing.
Worse yet, users can drag the fake window, minimize it, maximize it, and close it, making it very difficult to detect as an attack. Since the technique requires JavaScript, aggressive blocking of JS scripts would prevent the fake login from being displayed. However, most users do not block these scripts as they would not load or prevent popular web pages from working properly.
The solution to be safe from account theft would be prior to everything described and implies beware of phishing because it is the great computer attack of our days together with Ransomware. You have to know the general advice by heart, but in particular for gaming services, be very careful with direct messages received on Steam, Discord and other platforms and never follow links sent by users you do not know.
