Top Gamers’ Credential Stolen in Massive Hack
Steam, since its launch in September 2003 has grown into one of the most popular digital retail and distribution platforms. The digital service provided by its parent company Valve had evolved tremendously since updating its game catalog to include selling games and distributing other publishers’ inventory.
With Steam’s success comes the downside as well with criminal hackers creating a mirage of scams to steal from the popular platform. The latest scam involving Steam is a phishing attack utilizing the Browser-in-the-Browser attack. As one of the most utilized hacking attacks from the dark web, hackers have launched this attack to steal the private credentials of Steam accounts.
The Browser-in-the-Browser scam has been frequently used by criminal hackers; it is a popular strategy where threat actors create fake browser windows that mimic high profile websites. However, while the page may be identical, a maliciously coded popup page will direct unsuspecting individuals to sign up for specific promotional services.
According to BleepingComputer, since March 2022, analytical reports revealed that hackers have been utilizing a newly created phishing kit. With capabilities to rapidly create and launch numerous Browser-in-the-Browser scams, the kit has been getting a lot of notice on the dark web forums.
Fake Browser Hacking Assaults
Consumers of some popular websites have already fallen victim to the malicious threat actors, with numerous scams launched with phony login pages for Google, Microsoft, and Steam, as well as banks and financial institutions.
Meanwhile, Group-IB which is one of the analytical research teams tracking this phishing scam revealed the Browser-in-the-Browser hacking techniques. They’ve observed hacking campaigns specifically created to target top-tiered professional players on the Steam gaming platform.
Group-IB’s new study on hackers utilizing the “Browser-in-the-Browser” technique involves creating competition with enticingly high rewards. The intent is to trick professional gamers to sign in with their Steam credentials, thus, allowing them to participate with the hopes of ultimately winning the extravagant prize money.
But unbeknownst to unsuspecting visitors, the well-crafted login window is a false window that is identical to the real website page. Cyber analysts have warned that it is exceedingly difficult for targeted victims to identify that they’ve been lured into a phishing scam.
The huge problem with this hacking campaign is that victims are unable to identify a Browser-in-the-Browser attack. According to analysts, victims are viewing a genuine browser window, but the problem is that it’s just a fake layer over the theme page of the original website.
Another unique feature is that the fake landing pages support 27 automatically loaded languages, which load according to the Geo-location of the victim’s browser. From there, the unsuspecting victims are prompted to enter their 2FA code credentials, which gives the criminal hackers free access to the breached accounts.