Of course, you may be thinking, “There’s no way I’d fall for that!” Although some phishing campaigns use half-baked, unconvincing, fraudulent pages to bait victims, Group-IB claims that the technique in its report, called “browser-in-the-browser,” uses legitimate-looking windows that look indistinguishable from its authentic counterpart.
What is a ‘browser-in-the-browser’ phishing attack?
Steam uses a pop-up window for user authentication — not a new tab. As such, hackers take advantage of this by luring unwitting victims into interacting with a pop-up that mimics Steam’s UI, but of course, it’s a trap. How do they get victims to click on these inauthentic, faux Steam pop-ups to begin with? Well, many cybercriminals masquerade as League of Legends, DOTA 2, PUBG, or Counter-Strike gamers and ask users to join their team. They also offer discounted cybersport tickets, ask users to vote for their favorite teams, and more. Once the user clicks a button on the “bait webpage,” as Group-IB calls it, it launches a data entry form that mimics a legitimate Steam window. It even has an additional Steam Guard window for two-factor authentication (and a fake SSL certificate lock icon). “Unlike traditional phishing resources, which open phishing webpages in a new tab (or redirect users to them), this type of resource opens a fake browser window in the same tab in order to convince users that it is legitimate,” Group-IB said. Some fraudulent Steam windows go as far as warning users that they’re linking their account with a third-party company, adding an added layer of faux legitimacy to the deceptive phishing scheme. Oh yeah, these cybercriminals are that sneaky. Group-IB said that this phishing scheme is only available to select groups. The hacking teams who have access to this phishing kit offer phishing-for-hire services. In other words, cybercriminals sell access to Steam accounts, and Group IB reported that some pro-gamer accounts are valued at nearly $300,000.
How to protect yourself
Group-IB offered a checklist in its report to help Steam users spot a browser-in-the-browser phishing attack.
- Check whether a new window opened in the task bar. If not, the browser window is fake.
- Try to resize the window. If the window is fake, you won’t be able to resize it.
- Minimize the window. If the window is fake, the “minimize” button will close it.
- Click on the SSL certificate lock icon. If it’s fake, nothing will happen.
- The address bar in fake windows are not functional. Avoiding this phishing attack is fairly easy. Always be skeptical of unknown users requesting you to join their team or making other requests. If the message involves you clicking a URL, your suspicions should be heightened. No matter how legitimate or authentic a webpage may look, refrain from inputting your Steam credentials, especially if the link was sourced from a total stranger.