This phishing technique to steal your data from Steam is really sophisticated: this is how they have made the fraud look legitimate


A new phishing technique is gaining popularity among cybercriminals. Known as ‘Browser-in-the-Browser (BiTB), this method allows you to launch fake pop-ups from a web page that looks convincing to steal personal account information. This same technique has been used on Steam, and its effectiveness is really worrying.

The Group-IB cybersecurity company has made a report warning about the danger of this technique. Everything indicates that the attackers they usually go after those accounts of professional users or who compete in video game tournaments.

A very sophisticated method to steal Steam accounts

It all starts when a user receives an invitation to a supposed tournament in the form of a direct message, with a link that redirects to the supposed official page of the tournament. These tournaments are usually for games like League of Legends, Counter-Strike, DOTA 2, PUBG, etc. This message serves as bait for the user to access the attached link.

The website to which the message redirects is usually visually similar to that of any eSports company that organizes events and tournaments. In fact, in the example exposed by Group-IB, It is a website developed in a very sophisticated waypractically indistinguishable from an official and legitimate website.

Steam 1

Imagen: Group-IB

Once on the web, the user can join the supposed tournament through his Steam account, from the well-known pop-up window of the service to insert the access credentials. In fact, the popup itself has an SSL security certificate, and a legitimate URL. Furthermore, the window can be moved, resized, and even maximized and minimized. Come on, a pop-up that should not set off alarms. But of course here we are not talking about a ‘pop-up’ to use.

This is how a phishing victim managed to receive from his bank the 12,000 euros that had been stolen in an SMS scam

This is not a real pop-up window, but a window that is generated from the web page being accessed. That is, it is about one more visual element of the web. Once the user has inserted their access credentials, there is no going back and the window even asks the user for the Steam Guard code as part of the two-factor authentication system, further increasing the veracity of the site.

Steam 2

Imagen: Group-IB

After inserting the data, attackers can access the account and perform all kinds of actions at your will. From Group-IB they assure that cybercriminals usually target accounts valued between 100,000 and 300,000 dollars.

The ‘Browser-in-the-Browser’ technique has also been used to steal account credentials from Microsoft, Google, and the like. One way to avoid falling for this type of phishing is make use of element blockers that use JavaScriptthough this would corrupt the experience of other popular web pages, making it a somewhat intrusive remedy.

The recommendation to avoid this type of situation is the same as always: be careful with messages from strangers and much more with the links they contain. If you have doubts and you think it is not trustworthy, the best thing you can do is ignore the message.


Please enter your comment!
Please enter your name here