Coordinated groups of hackers are targeting Steam users with a “browser-in-the-browser” scam that steals their login credentials.
A report published by Group IB today (September 13) details how the hack works. Scammers begin the process by messaging potential victims with a link to a phishing site, under the guise of inviting them to join their team in a game’s tournament or vote in a competition.
The phishing site is disguised as a legitimate esports site, and when victims proceed through the site, they are hit with a pop-up that is designed to look like a legitimate authenticator from Steam. In reality, the pop-up is a fake window that is a part of the site’s page – hence the scam being called a “browser-in-the-browser” hack.
Anyone who falls for the fake pop-up and enters their credentials will have sent their login details to hackers, allowing them to hijack their Steam account.
The scam is being used to steal Steam accounts, which can often include hundreds of pounds-worth of games and downloadable content (DLC). Cosmetic items for games including Dota 2 and Counter-Strike: Global Offensive can be worth thousands and can be sold privately or through Steam’s marketplace.
As it stands, the hack is fairly sophisticated and only certain groups have access to the phishing kit used to carry it out. Group IB reports that these hacking groups tend to offer the scam as a phishing-for-hire service, and for the moment this particular hack tends to be used in coordinated attacks.
To avoid falling victim to the hack, Steam users should avoid clicking links sent by anyone they don’t know and trust. It’s also a safe practice to never enter login details on or through a site that’s been linked via message.
In other gaming news, Fall Guys is going to space in Season 2, with a host of planned crossovers revealed.
