Hackers are launching new attacks to steal Steam credentials using a Browser-in-the-Browser phishing technique that is gaining popularity among threat actors.

The browser-in-browser technique is a trending attack method involving creating fake browser windows in the active window, making it appear as a login pop-up page for a targeted login service.

In March 2022, BleepingComputer was the first to report on the capabilities of this new phishing kit created by a security researcher sird0x. Using this phishing kit hackers create fake login forms for Steam, Microsoft, Google and any other service.

Today, Group-IB published a new report on the subject, illustrating how a new campaign using the “Browser-in-the-Browser” method is targeting Steam users, attacking the accounts of professional gamers.

These phishing attacks aim to sell access to these accounts, with some large Steam accounts being valued between $100,000 and $300,000.

Bait with Tournament Play

Group-IB reports that the phishing kit used in the observed Steam campaign is not widely available in hacking forums or dark web marketplaces. Instead, it’s used privately by hackers who come together on Discord or Telegram channels to coordinate their attacks.

Potential victims are targeted with direct messages on Steam, inviting them to join a team for LoL, CS, Dota 2 or PUBG tournaments.

Links shared by phishing actors will take targets to a phishing site for what appears to be an organization sponsoring and hosting esports competitions.

To join a team and participate in a competition, visitors are asked to log in via their Steam account. However, the new login page window is not an actual browser window overlaid on the existing website, but rather a fake window created in the current page, which makes it very difficult to spot as a scam attack. phishing.

The landing pages even support 27 languages, detecting the language from the victim’s browser preferences and loading the correct one.

After the victim enters their credentials, a new form prompts them to enter the 2FA code. If the second step fails, an error message is displayed.

If authentication succeeds, the user is redirected to a URL specified by the C2, usually a legitimate address, to minimize the chances of the victim making the compromise.

At this point, the victim’s credentials have already been stolen and sent to the threat actors. In similar attacks, threat actors quickly hijack Steam accounts, changing passwords and email addresses to make it harder for victims to regain control of their accounts.

How to Spot a Browser-in-the-Browser Attack

In all browser-to-browser phishing cases, the URL in the phishing window is the legitimate URL because the threat actors are free to display whatever they want since it doesn’t is not a browser window but simply a rendering of a window.

The same goes for the lock symbol of the SSL certificate, indicating an HTTPS connection, creating a false sense of security for the victims.

Worse still, the phishing kit allows users to drag the fake window, minimize, maximize and close it, which makes it very difficult to spot as a fake browser window in the browser.

As the technique requires JavaScript, blocking JS scripts aggressively would prevent the fake login from being displayed. However, most people don’t block scripts because it would break many popular websites.

In general, be wary of direct messages received on Steam, Discord, or other gaming-related platforms, and avoid following links sent by users you don’t know.