New In-Browser Attack Threatens Steam Users | Gamer on PC
These dodgy hijackers are back, and this is one gamers in particular need to watch out for as it targets Steam users.
Group-IB (opens in a new tab) (via Bleeping Computer (opens in a new tab)) reports that a sophisticated Browser-in-the-Browser phishing technique is trapping Steam users. In particular, competitive and professional gamers are targeted with fake direct messages on Steam, inviting them to join tournaments. The user will then navigate to a sleek gaming tournament platform where they will be asked to log in using their Steam credentials and a 2FA code.
Once done, hackers will gain access to the users account, being able to change login credentials, making recovery difficult. By the time you regain access, your virtual goods such as skins will likely be gone, your credit card information could be compromised, or the hacker could use your friends list for additional targeting.
By luring users with tournaments, this is an attack that apparently targets competitive and professional players. These accounts are the ones most likely to have expensive virtual goods, with Group-IB claiming that some accounts are worth hundreds of thousands of dollars.
This type of phishing attack is particularly sneaky because it is rendered to mimic a real browser popup. For all intents and purposes, an unsuspecting user would believe they are using a real site, with a security certificate, multiple languages, and a professional design. The fake window can be maximized, minimized, and moved around to make it look more legit.
The general rules of the Internet remain. If something sounds too good to be true, it probably is. Don’t click on links from sources you don’t trust and carefully filter or ignore direct messages and unknown emails. Whether it’s cryptocurrency, NFT or CS:GO skins, if something has a dollar value, dodgy scumbags will try to steal it from you. Stay safe there!