Hackers are targeting Steam credentials using a new phishing technique called ‘Browser–in–the–Browser’ (BitB), according to new data by security researchers at Group–IB.
Unlike traditional phishing resources, which open phishing webpages in a new tab (or redirect users to them), this type of resource opens a fake browser window in the same tab in order to convince users that it is legitimate.
Data entered by users via the malicious forms is sent to the threat actors and automatically entered on the legitimate resource. If the data is incorrect, victims see an error message.
In cases where two–factor authentication (2FA) is enabled, the resource returns a code request. The code is created using a separate program, which sends a push notification to the user’s device.
The Group–IB’s technical write–up is now describing a Browser–in–the–Browser campaign aimed at gaining Steam credentials and then selling access to those accounts.
“A researcher with the moniker mr.d0x was the first to describe this phishing technique, in Spring 2022,” reads the advisory. “Threat actors decided to take advantage of the fact that Steam uses a pop–up window for user authentication instead of a new tab.”
According to the advisory, threat actors sent messages to victims offering various appealing offers to lure them to a bait webpage that contains a login button.
Further, Group–IB noted how almost any button on bait web pages opened an account data entry form mimicking a legitimate Steam window.
“It has a fake green lock sign, a fake URL field that can be copied, and even an additional Steam Guard window for two–factor authentication.”
More generally, Group–IB explained that the contents of BitB phishing pages are fully copied from legitimate ones. In many cases, they even include an alert about data being saved on a third-party resource.
“Phishing pages can have all buttons disabled except for login confirmation and language switching,” reads the advisory. “All 27 interface languages are fully functional, and the selection is identical to the one used on the legitimate page.”
Some of the Steam accounts stolen in these campaigns were reportedly valued between $100,000 and $300,000.
In the advisory, Group–IB also provided companies with recommendations on how to identify fake browser windows. These include comparing the header design and the address bar of the pop–up window, trying to resize the window (fake windows cannot be resized) and checking the functionality of the address bar.
The BitB–focused research comes amidst a substantial increase in cyber–attacks on the gaming industry. Case in point, a report published in August by cybersecurity firm Akamai suggested cyber–attacks in the gaming sector have increased by 167% in the last year.