Steam users are targeted by a sophisticated browser-in-browser attack
Steam users are being targeted by a clever new in-browser phishing scheme disguised as a legitimate Steam message. According to cybersecurity firm Group-IB, the program specifically targets professional and competitive gamers, sending them fake tournament invites through the platform’s messaging system.
Clicking on the attached link will redirect you to a professional-looking tournament website where you will be asked to log in to Steam and enter a two-factor authentication code. Upon login, hackers will have full access to your account and can even change your login credentials, which will make account recovery extremely difficult. From there, hackers can steal anything of value from your account, including unopened skins or games, and maybe even your credit card information. They can also use your friends list to send more phishing invites.
The fact that they use tournament invites to lure victims limits their targets to competitive and professional gamers. These are also the accounts that are likely to have expensive skins or other virtual goods. Group-IB claims that some professional player accounts could be worth hundreds of thousands of dollars.
Browser-in-browser (BitB) attacks are much more likely to succeed in stealing login credentials and personal information because they look like real legitimate websites. The fake login window can also be moved, minimized, maximized and closed, and even has a fake SSL certificate lock (green lock), a legitimate URL, multiple language options and, in the case of Steam, a fake Steam prompt Guard. In many cases, they even show a warning about saving your data to a third-party resource.