Steam users are being targeted by a clever new browser-in-the-browser phishing scheme disguised as a legitimate Steam message. According to cybersecurity company Group-IB, the scheme specifically targets professional and competitive gamers, sending them fake tournament invites through the platform’s messaging system.
Upon clicking the accompanying link, it will redirect you to a professional-looking tournament website where you’ll be asked to login to Steam and enter a two-factor authentication code. Upon logging-in, the hackers will gain full access to your account and can even change your login credentials, making account recovery extremely difficult. From there, the hackers can steal anything valuable on your account, including skins or unopened games, and possibly even your credit card information. They can also use your friends list to send out more phishing invites.
The fact that they’re using tournament invites to entice victims narrows their targets down to competitive and professional gamers. These are also the accounts that are likely to have expensive skins or other virtual goods. Group-IB claims that some pro gamer accounts could possibly be worth hundreds of thousands of dollars.
Browser-in-the-browser (BitB) attacks are much more likely to succeed in stealing login credentials and personal information since they resemble the actual legitimate websites. The fake login window can also be moved around, minimized, maximized, and closed, and even has a fake SSL certificate lock (green lock), a legitimate URL, multiple language options, and in Steam’s case, a fake Steam Guard prompt. In many cases, they even display a warning about saving your data on a third-party resource.