A new browser-in-the-browser attack threatens Steam users

pcgamer.com:

Those dodgy hackers are at it again, and this is one that gamers in particular need to keep an eye out for as it targets Steam users.

Group-IB(opens in new tab) (via Bleeping Computer(opens in new tab)) is reporting that a sophisticated Browser-in-the-Browser phishing technique is snaring Steam users. In particular, competitive and professional gamers are being targeted with fake direct messages on Steam, inviting them to join tournaments. The user will then navigate to a slick looking game tournament platform where they are asked to log in using their Steam credentials and a 2FA code.

Once that’s done, the hackers will have access to the users account, being able to change the login credentials, making recovery difficult. By the time you regain access, your virtual goods such as skins will probably be gone, your credit card info could be compromised or the hacker may use your friends list for further targeting.

By baiting users with tournament play, this is an attack that is apparently aimed at competitive and professional gamers. These accounts are the ones that are more likely to have expensive virtual goods, with Group-IB claiming that some accounts are worth hundreds of thousands of dollars.

This kind of phishing attack is especially devious since it is a mimicking render of a real browser pop up window. For all intents and purposes, an unsuspecting user would believe they are using a real site, complete with a security certificate, multiple languages and a professional design. The fake window can be maximized, minimized, and moved around to give it a more legitimate look. 

As the attack uses JavaScript, a script blocking extension will offer some protection by preventing the malicious code from running. As someone