The video game platform has become the latest target of this new and dangerous ‘phishing’ technique in a campaign that tries to steal the accounts of its users.

Browser-in-the-Browser or “BitB” (Browser-in-the-Browser) is a relatively new phishing technique that is starting to gain popularity among cybercriminals. This method was discovered last spring and consists of launching fake pop-up windows inside the active window, making it look like a seemingly legitimate login pop-up page for users to enter their access credentials to the service that is being spoofed and that appears the real one

At Escudo Digital we already warned about this new and dangerous phishing technique shortly after it was released, when it was being used against Google Chrome users. Now, Steam has become the latest target of the BitB method in a campaign that threatens its users by trying to steal their accounts from the popular video game platform, cybersecurity company Group-IB has revealed.

The fact that Steam uses a pop-up window for user authentication instead of a new tab has made it the perfect target for this type of cyber attack, as Group-IB points out in a report published this Tuesday detailing the peculiarities of this campaign that its researchers have discovered.

How this new campaign works on Steam

As the Group-IB report explains, the cybercriminals behind this campaign target their potential victims by sending them a message in which they attract their attention and interest by offering them various offers: to participate in alleged video game tournaments such as League of Legends, Counter- Strike, DOTA 2 and PUBG, vote for your favorite team, or buy discounted tickets to cyber sport events.

These messages include a link that redirects them to the supposed official page of the offer in question, practically indistinguishable from a legitimate website, asking them to log in to their Steam account.

“Unlike traditional phishing resources, which open phishing web pages in a new tab (or redirect users to them), this type of resource opens a fake browser window in the same tab to convince users to which is legitimate,” the report stresses.

Group-IB also highlights that these BitB phishing pages are rip-offs from the real thing. Supposedly they have Steam Guard, the additional level of security of the platform that operates with the user’s two-step authentication. They also appear to have an SSL certificate, allow users to change the interface language between 27 different ones, and in many cases even include a notice about data being saved to a third-party resource.

If users fall for the trick and enter their credentials, a new form appears asking them to enter the two-factor authentication code. This code is created using a separate app, which sends a push notification to the user’s device. If you provide an incorrect code, an error message is displayed, while if the authentication is successful, the user is redirected to a generally legitimate web page, to minimize the chances of realizing that they have just been the victim of an attack. cyber attack. Your credentials will already be in the hands of cybercriminals, who will be able to access the account and change the login details to make it difficult for the owner to regain control. In addition, the main objective of the cybercriminals with this campaign would be to sell access to the accounts they manage to compromise, since a professional gamer’s Steam account can be worth between $100,000 and $300,000.

“Unlike phishing-as-a-service schemes, which typically involve developing phishing kits for sale, Steam phishing kits are kept secret. Campaigns are carried out by groups of hackers who meet in underground forums or Telegram channels and use Telegram or Discord to coordinate their actions,” says IB-Group, which also claims to have reported its findings to Steam developer Valve.

Categorized in: