2 min read

Hackers use Browser-in-the-Browser Technique to Steal Steam Accounts

Vlad CONSTANTINESCU

September 13, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Hackers use Browser-in-the-Browser Technique to Steal Steam Accounts

Threat actors are turning to the increasingly popular Browser-in-the-Browser (BitB) phishing technique in a new malicious campaign focused on stealing Steam user accounts.

The BitB method involves forging realistic phishing popup windows, often from pre-made templates, and deploying them in active windows to replicate legitimate popup login forms. Unlike other techniques, it lets attackers display custom URLs to increase the apparent legitimacy of the phishing page, making it less obvious to unsuspecting users.

Perpetrators quickly picked up on the new technique and started to use it against various services. Most recently, threat actors have taken an interest in high-profile Steam user accounts.

In a new campaign seemingly aimed at professional gamers, or generally owners of Steam accounts worth a fortune, attackers lure their victims under the pretenses of rewarding gaming tournaments. Unsuspecting users are led to a phishing site where they’re asked to log in to their Steam accounts for various reasons, including voting for teams in competitions or signing up for tournaments.

Attackers cunningly rely on the BitB technique to create a convincing Steam popup login window and display it inside the phishing website, as Bleeping Computer reports. However, the form isn’t actually displayed in a new window; instead, it uses JavaScript to emulate a popup login form almost imperceptibly.

The faux login form has full functionality and could easily pass as genuine to the untrained eye. Should the victim enter their credentials, the window would generate a new form, prompting them to provide their 2FA code and triggering an error if the code is not the right one.

Successfully authenticating would send the credentials to the threat actors and usually redirect the victim to a legitimate URL to avoid raising suspicion. At this point, proficient attackers often proceed with changing account email addresses and passwords to muddle the victims’ attempts to recover their stolen accounts.

Browser-in-the-Browser attacks can be hard to detect, especially if a sense of urgency is involved (e.g., the attacker makes a seemingly great, limited–time offer). In this case, traditional caution tips such as checking the URL or the SSL certificate padlock symbol are ineffective as perpetrators can easily display fake legitimacy elements.

Users could interact with the emulated window in various ways: minimizing, maximizing, closing or simply dragging it around. A dead giveaway would be that the fake window doesn’t create a new tab in the taskbar as a regular popup would.

The most effective way to mitigate BitB attacks is to block JavaScript, as the technique heavily relies on it. Unfortunately, so do many popular websites, which makes users reluctant to embrace such a drastic measure.


Turning to specialized tools such as Bitdefender Ultimate Security can give you the upper hand against cyber threats, thanks to its advanced array of features:

  • Anti-phishing module that detects and blocks websites that mimic legitimate ones to steal your data or credentials
  • Network threat prevention against suspicious network-level activities
  • Web-filtering technology that helps you avoid harmful websites
  • Advanced filtering module that warns you of websites that may try to scam you

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities
Vlad CONSTANTINESCU

September 30, 2022

2 min read
US Taxpayers Urged to Stay Vigilant as Major IRS-Themed Smishing Campaign Unfolds US Taxpayers Urged to Stay Vigilant as Major IRS-Themed Smishing Campaign Unfolds
Filip TRUȚĂ

September 29, 2022

1 min read
Auth0 Discloses Security Incident, Says Source Code Repos Were Likely Stolen Auth0 Discloses Security Incident, Says Source Code Repos Were Likely Stolen
Vlad CONSTANTINESCU

September 29, 2022

1 min read