Hackers simulate browser popup to intercept Steam account credentials

A new type of phishing is used by criminals to steal and resell Steam accounts. This is what experts call a browser-in-browser attack, which suggests that a login screen appears as a pop-up.

The new technique was already discovered earlier this year by a researcher with the pseudonym mr.d0x. Now an investigation by the security company Group IB shows that this technique is being used to intercept steam account credentials. Similar to known phishing techniques, the victim is redirected to a fake website set up by the hacker. That is also the case with these attacks on Steam users. Victims are lured to a Counterstrike tournament website and must log in with their Steam account.

Normally, the ssl certificate and often also the url show that it is not a legitimate site. With the browser-in-browser technique, this is much more difficult to see, because this phishing site uses JavaScript to display a pop-up login window, which is almost indistinguishable from a real Steam login window.

The window can simply be moved within the open tab. In addition, the URL in the fake window also appears legitimate and the green lock for a correct SSL certificate is displayed. Only when the victim closes the first window will it become clear that the pop-up screen is part of the current page.

The moment a victim successfully logs in through the fake window, the criminals have access to the Steam account. In order not to alarm the victim, upon successful login, they will be forwarded to a tournament entry confirmation page.