A new browser-in-browser attack technique is being used by hackers to steal login credentials for Steam gaming accounts, putting millions of users at risk.

The New Browser-in-Browser Exploit Uses Phishing to Steal Data

Steam users are now at risk of being targeted by a new kind of browser-in-browser attack that uses phishing to steal data. This exploit, which was only discovered in 2022, involves the use of fake login windows to trick users into thinking they are signing in to their official Steam account. As is often the case with phishing, this webpage is malicious and can be used to steal user login credentials to access their accounts.

Phishing is a very popular data theft tactic used by cybercriminals around the world, with this newer exploit also being used to mimic other services, like Google, to steal private information from victims. But professional gamers are the key target of this particular scam.

Cybersecurity solutions provider Group-IB stated in a blog post that, in order to lure in victims, attackers ask them to log into Steam to "join a team for a LoL, CS, Dota 2, or PUBG tournament, to vote for [their] favorite team, to buy discounted tickets to cybersport events, and more". Such persuasive elements are not uncommon in phishing scams.

Fake Login Pages Are Worryingly Convincing

graphic of login window

In this attack, scammers are creating fake login pages that are almost identical to the original, making it difficult for the average user to sniff out the swindle. Group-IB stated in the aforementioned blog post that these fake Steam pages have "a fake green lock sign, a fake URL field that can be copied, and even an additional Steam Guard window for two-factor authentication". These phony pages can even be displayed in multiple languages.

The attacker will often include the link to a fake gaming tournament website in their message to the target, which will then lead to the dummy Steam login page. The sophistication of this scam makes it particularly dangerous to those who don't know what to look out for when checking if a website is malicious.

Virtual Assets and Payment Details Are at Risk

When the malicious attacker gains access to the victim's account, they will then alter the login information so that it cannot be instantly accessed by the victim. By the time the victim recovers their account, it's likely that most, if not all, of their valuable virtual assets will be gone.

On top of this, the victim is at risk of having their payment card details exploited if they have provided such on their account. This kind of information can be very valuable on dark web marketplaces, and is often sold for profit to other malicious individuals.

Phishing Continues to Become More Prevalent

As the cybercrime industry grows, more and more kinds of phishing attacks are being launched against unsuspecting victims, be it individuals or entire organizations. This is why high levels of device and account privacy are so important in our modern day.