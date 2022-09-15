A new form of attack is taking place with the aim of stealing Steam accounts from unsuspecting users. Through phishing via a technique called Browser-in-the-Browser (BitB), hackers are tricking their victims and consequently taking over their logins on Valve’s platform. The objective is to resell the accesses for large sums of money, either to the previous owners or to third parties.

Hackers want your Steam account (illustrative image: Kevin Horvat/Unsplash)

The technique used by digital thieves works like this: they create a fake login page for a service like Steam or Google, for example.

Thus, a pop-up window appears, tricking the user into entering his access data. This information is then stolen by hackers who quickly take over the target’s account.

The first person to describe the phishing kit was mr.d0x, a digital security researcher. Its disclosure took place in March 2022 by the Bleeping Computer, in which he explained that the windows opened for the attack only show the login form and its URL. Being perfect to deceive the unsuspecting.

The Browser-in-the-Browser technique has already taken data from several Steam players, who have confirmed that they have lost everything they have collected on the platform. This strategy works because it manages to mask the URL, implying that it is legitimate.

BitB phishing attempt on Steam (Image: Playback / Bleeping Computer)

150+ fonts mimicking Steam

according to Group-IB, web security experts reported that many have already fallen victim to this type of Browser-in-the-Browser phishing. There are reports of different proportions.

A small Steam account, for example, costs a few tens of dollars to return or trade. While a more professional one or one with a huge amount of content can be worth between $100,000 to $300,000.

From there, professionals from the CERT-GIB (Computer Emergency Response Team) reported that in July 2022 alone, more than 150 fraudulent sources that mimicked Steam were discovered.

There are cases where criminals have sent messages to spectators of a Counter Strike: Global Offense offering free skins for the game. In naivety, many people ended up clicking and passing their login information.

Almost every button on this page leads to a Steam imitation (Image: Reproduction / Group-IB)

How to avoid a BitB attack

Typically, the URL that appears to the user may appear legitimate. This is because criminals are able to add whatever they want, as the window is not actually the browser’s, but the rendering of one.

The best way to avoid this type of phishing would be to block JavaScripts, however, this can get in the way of browsing common and real sites.

Therefore, a valid suggestion is that before putting the correct login and password for your account, add wrong versions of them. If the site accepts the incorrect data, then it aims at theft.

However, always be careful with links and direct messages received on Steam or any platform.

With information: Bleeping Computer.