Those dodgy hackers are at it again, and this is one that gamers in particular need to keep an eye out for as it targets Steam users.
Group-IB (opens in new tab) (via Bleeping Computer (opens in new tab)) is reporting that a sophisticated Browser-in-the-Browser phishing technique is snaring Steam users. In particular, competitive and professional gamers are being targeted with fake direct messages on Steam, inviting them to join tournaments. The user will then navigate to a slick looking game tournament platform where they are asked to log in using their Steam credentials and a 2FA code.
Once that’s done, the hackers will have access to the users account, being able to change the login credentials, making recovery difficult. By the time you regain access, your virtual goods such as skins will probably be gone, your credit card info could be compromised or the hacker may use your friends list for further targeting.
By baiting users with tournament play, this is an attack that is apparently aimed at competitive and professional gamers. These accounts are the ones that are more likely to have expensive virtual goods, with Group-IB claiming that some accounts are worth hundreds of thousands of dollars.
This kind of phishing attack is especially devious since it is a mimicking render of a real browser pop up window. For all intents and purposes, an unsuspecting user would believe they are using a real site, complete with a security certificate, multiple languages and a professional design. The fake window can be maximized, minimized, and moved around to give it a more legitimate look.
As the attack uses JavaScript, a script blocking extension will offer some protection by preventing the malicious code from running. As someone that has fallen victim to a browser phishing attack in years past, I use a script blocking extension (opens in new tab). It can be a pain when navigating to new sites but in the years since installing, I cannot imagine not using it.
The general rules of the internet remain. If something appears too good to be true, it probably is. Don’t click on links from sources you don’t trust and carefully filter or ignore unknown direct messages and emails. Whether its cryptocurrency, NFT’s or CS:GO skins, if something has a dollar value attached to it, dodgy scumbags will try to steal them from you. Stay safe out there!