Steam accounts are being stolen by this devious phishing attack

techradar.com:

Steam users are being targeted by cybercriminals looking to steal accounts, a new report from Group-IB has claimed.

The experts uncovered a group of hackers using an elusive phishing kit to try and lure gamers into giving away their Steam login credentials, and once they do, the crooks will try to sell their accounts on the black market.

The thefts can allegedly be rather lucrative, with some of the more high-profile accounts reportedly selling for as much as $100,000 to $300,000 apiece.

The group gathers either on Discord or Telegram and uses a phishing kit capable of “browser-in-browser” attacks, something not as widely distributed among the cybercrime community as some other tools. 

What they’ll do is try and reach out to pro gamers on Steam and invite them to a tournament for one of the more popular titles, such as League of Legends, Counter-Strike, Dota 2, or PUBG. The invitation will carry a link, which will bring the victim to a website that looks like it belongs to an organization sponsoring and hosting esports tournaments. 

To sign up for the tournament, the victims will be asked to log into their Steam accounts, which will look like a regular login pop-up page. However, that login page isn’t a browser popup, but rather an entire fake window, created within the current page. That makes it extremely difficult for the victim to spot they’re being attacked, especially because the link in the search bar will look legitimate.

>Watch out — that WeTransfer link could be a phishing scam>This Facebook Messenger phishing scam may have trapped millions of users>Here's our pick for the best ID management software around(opens in new tab)

After typing in their credentials, the targets will also be asked for their 2FA code, and if