Beware Of Hackers Using Fake Browser Windows To Steal Your Steam Credentials
Some recent Steam account phishing attacks try to lure in unsuspecting users with private messages offering discounted esports event tickets, opportunities to join esports tournaments, or the chance to vote for a user’s favorite esports team. Some threat actors set up gaming livestreams similar to the recent cryptocurrency scam livestreams. Rather than offering free cryptocurrency, these gaming livestreams advertise free in-game character customization items. All of these different offers include links to websites controlled by threat actors. These websites are made to appear legitimate and direct users to claim an offer by logging into Steam. However, the Steam login windows that appear when users follow these prompts are not real windows.
BITB attacks have now graduated from proof of concept to reality, as threat actors are using this technique in their phishing attacks on Steam accounts. The image above shows an example of an interactive fake Steam login window on a phishing webpage. Users can move the window around inside the confines of the web browser and change the language of the login page. The fake page can detect if a user's account has two-factor authentication (2FA) enabled. If so, the window will update with a prompt asking for a 2FA code.