Steam accounts get stolen using the Browser-in-the-Browser phishing method

Hackers launch new attacks to steal Steam account credentials

Hackers target Steam accounts of professional players with tournament messages and browser-in-the-browser windows

Malicious attackers go after the virtual goods and release a recent browser-in-the-browser attack that threatens Steam users. Researchers report^[1] that the new sophisticated Browser-in-the-Browser phishing^[2] method is used to steal Steam users' credentials.

These attacks especially target gamers that play professionally. Fake direct messages on Steam invite gamers to join competitive tournaments, and the user gets tricked into navigating to a slick-looking game tournament platform where users get asked to log in using their Steam account credentials and a two-factor authentication code.^[3]

This particular phishing attack method is becoming more and more popular among threat attackers. The Browser-in-the-Browser attack involves the creation of a fake browser window within the active web browser window. This is how the sign-in pop-up page that appears seems legitimate and targeted credentials can be collected.

The method is designed to target Steam, Microsoft, Google, and other popular services

Access to various account credentials allows threat actors to change the login information and make the recovery of those details difficult for users. Credit card information from those accounts can get compromised, too, so hackers can use the cryptocurrency funds or hack further using your friends' lists and target other people with the same phishing method.

By using these tournament play targeting methods, attackers aim at competitive and successful gamers.^[4] Those accounts have more expensive virtual goods and even funds. Researchers state that those accounts possibly have hundreds of thousands of dollars.

These methods are particularly used to mimic real browser pop-up windows for logins on Google accounts and Microsoft pages. In March 2022, many reports surfaced with news of the new phishing kits that use fake login forms for Google, Microsoft, and Steam services.^[5] The goal of such attacks is to sell the initial access son such accounts of popular Steam users for at least $100 000 or more.

Spotting the browser-in-the-browser attack in time

This phishing kit discovered in the Steam campaign is not widely available in various online hacking forums or on the dark market. Hackers that come together on platforms like Telegram or Discord can coordinate these attacks more privately. These attacks supported 27 languages and detected the particular one via the browser preferences of the victim, so the correct one loads when the phishing page is opened for login credential gathering.

The compromise of the account gets masked by opening the error message right after the attempt to enter the 2FA code. The URL specified by the C2 – legitimate address appears when the authentication is successful. This is how attackers minimize the chances of suspicion. Email accounts and passwords get changed on those accounts right away, so users cannot regain control of their accounts.

The URL on those phishing windows mainly look legitimate because those pop-ups are not browser windows, just an image. SSL certificate lock symbol also can be displayed on the window, so users think that the connection is secure. This kit allows users to drag the fake window around and maximize, minimize, or close it. It seems like the normal browser window.

The technique requires JavaScript, so blocking these scripts aggressively could prevent those fake login forms from appearing. But many people do not block those scripts because websites that are visited often could be broken due to this. As for avoidance of these attacks: be cautious about the direct messages you receive on Steam. Telegram, Discord, or other game-related platforms and pages; never click on a suspicious link sent randomly.