Of course, you may be thinking, “There’s no way I’d fall for that!” Although some phishing campaigns use half-baked, unconvincing, fraudulent pages to bait victims, Group-IB claims that the technique in its report, called “browser-in-the-browser,” uses legitimate-looking windows that look indistinguishable from its authentic counterpart.
What is a ‘browser-in-the-browser’ phishing attack?
What is a ‘browser-in-the-browser’ phishing attack?
Steam uses a pop-up window for user authentication — not a new tab. As such, hackers take advantage of this by luring unwitting victims into interacting with a pop-up that mimics Steam’s UI, but of course, it’s a trap. How do they get victims to click on these inauthentic, faux Steam pop-ups to begin with? Well, many cybercriminals masquerade as League of Legends, DOTA 2, PUBG, or Counter-Strike gamers and ask users to join their team. They also offer discounted cybersport tickets, ask users to vote for their favorite teams, and more. Once the user clicks a button on the “bait webpage,” as Group-IB calls it, it launches a data entry form that mimics a legitimate Steam window. It even has an additional Steam Guard window for two-factor authentication (and a fake SSL certificate lock icon). “Unlike traditional phishing resources, which open phishing webpages in a new tab (or redirect users to them), this type of resource opens a fake browser window in the same tab in order to convince users that it is legitimate,” Group-IB said. Some fraudulent Steam windows go as far as warning users that they’re linking their account with a third-party company, adding an added layer of faux legitimacy to the deceptive phishing scheme. Oh yeah, these cybercriminals are that sneaky. Group-IB said that this phishing scheme is only available to select groups. The hacking teams who have access to this phishing kit offer phishing-for-hire services. In other words, cybercriminals sell access to Steam accounts, and Group IB reported that some pro-gamer accounts are valued at nearly $300,000.
How to protect yourself
How to protect yourself
Group-IB offered a checklist in its report to help Steam users spot a browser-in-the-browser phishing attack.
