A new form of attack is underway to steal Steam accounts from unsuspecting users. Phishing by means of the so-called Browser-in-browser (BitB), hackers trick their victims and thus gain their access to Valve’s platform. The goal is to resell the access for a large sum, either to the previous owners or to third parties.
The technique used by digital thieves works like this: they create a fake login page for a service like Steam or Google, for example.
Thus, a pop-up window will appear, tricking the user into entering his access data. This information is then stolen by hackers who quickly hijack the target’s account.
The first person to describe the phishing kit was mr.d0x, a digital security researcher. It was revealed in March 2022 A bleeping computer, in which he explained that the windows opened for the attack only show the login form and its URL. Be perfect to deceive the unsuspecting.
The Browser-in-the-Browser technique has already received data from several Steam players who have confirmed that they’ve lost everything they’ve collected on the platform. This strategy works because it manages to mask the URL, implying that it is legitimate.
150+ fonts emulating Steam
according to Group-IB, web security experts said that many have already fallen victim to this type of browser-in-browser phishing. There are reports of different proportions.
For example, returning or trading a small Steam account costs several tens of dollars. Whereas a more professional one or one with huge content can cost between $100,000 and $300,000.
From there, CERT-GIB (Computer Emergency Response Team) professionals reported that in July 2022 alone, they discovered more than 150 fraudulent sources imitating Steam.
There are cases when criminals sent messages to a Counter Strike: Global Offense We offer free skins for the game. Out of naivety, many people clicked and gave away their login information.
How to prevent BitB attack
Typically, the URL displayed to the user may be legitimate. This is because criminals can add whatever they want because the window is not actually the browser’s, but a rendering of it.
Therefore, it is a good suggestion before you set the correct login and password in your account, add the incorrect versions of them. If the site receives incorrect data, then it is aimed at theft.
However, always be careful with links and direct messages received on Steam or any platform.
Info: Bleeping Computer.