Hackers Employ New Phishing Tactics to Heist Steam Credentials

Steam Logo and Opening Screen on a Smartphone

Hackers are using a new phishing technique known as Browser-in-the-Browser (BitB) to pry away credentials from users on the popular gaming platform Steam. According to cybersecurity researchers at Group-IB, the technique allows attackers to create a fake pop-up Steam login within the browser, which looks identical to the legitimate window.

While most phishing resources open malicious sites in a new tab, this attack opens a pop-up window in the same tab. The legitimate Steam website also uses a pop-up window for user authentication, which makes the credential-snaring scheme all the more convincing.

The Computer Emergency Response Team at Group-IB detailed their findings in a blog post early Tuesday. The team found 150 “fraudulent resources” impersonating Steam in July 2022 alone. Users with Stream accounts — an estimated 120 million gamers use the platform — can buy, create, play and discuss online computer games from both major and indie developers.

According to the research team, some accounts are worth between $100,000 to $300,000.

Attackers Lure Potential Victims to Fake Webpages

The attack begins with the hackers luring their victims to a fake webpage that contains the phishing resource. The hackers use a variety of tricks to do so, including sending invites to join gaming tournaments for Counter Strike, League of Legends, or DOTA 2 via direct messages.

Other ploys offer users the opportunity to buy discounted tickets to cybersports events. The attackers are also known to provide links to malicious sites in gameplay streams on Youtube.

Once on the website, clicking on almost any button triggers the fake Steam login pop-up window. The pop-up appears to be almost indistinguishable from a legitimate window, experts said.

“It has a fake green lock sign, a fake URL field that can be copied, and even an additional Steam Guard window for two-factor authentication,” Group-IB’s CERT team stated.

If a victim enters their credentials, the information goes directly to the attackers. Furthermore, after entering the details the victim is redirected to a legitimate website. As a consequence, the user does not suspect any malicious activity.

What We Know About Browser-in-the-Browser (BitB)

Security researcher mr.d0x first brought the BitB technique to the cybersecurity community’s attention in March of this year. BitB is especially worrying since it does not contain the usual phishing giveaways, such as questionable URLs or unsecured domain warnings.

The BitB pop-up window can be customized to appear exactly like a legitimate site, and a user can also drag and move it around. The Steam phishing window even allows users to switch between 27 interface languages. Another peculiar feature of the phishing kit is that it is not open for sale on dark web marketplaces. Usually, these kinds of kits or phishing-as-a-service schemes are available to anyone willing to carry out such an attack.

“The campaigns are carried out by hacker groups who come together on underground forums or Telegram channels and use Telegram or Discord to coordinate their actions,” Group-IB’s blog post states.

How to Protect Yourself from BitB Phishing Attacks

It is important to always treat unsolicited DMs and links with suspicion. Make sure you verify the identity of the sender before opening the link. Even if you know the sender, you should proceed with caution as their account may be compromised.

BitB techniques can render very realistic impersonations. However, according to Group-IB, here are a few things you can do to spot a fake window:

  • Check the pop-up window’s header design and address bar for inconsistent fonts or control button designs.
  • Check the taskbar and verify if, in fact, a new window opened up.
  • Try to minimize and maximize the window, if you are unable to do so, the pop-up is a fake.
  • Click on the lock screen symbol on the address bar. If it does not display SSL certificate information, it is inauthentic.
  • Try to enter a different URL into the address bar. A fake pop-up window will have a non-functional address bar.
Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.