Hackers are using a growing phishing method known as “Browser-in-the-Browser” in new cyberattacks to obtain Steam user credentials. The famous attack technique called “Browser-in-the-Browser” involves the construction of false browser windows inside the open window, which are then made to look like sign-in pop-up pages for certain login services.
The capabilities of this brand-new phishing kit developed by security researcher mr.d0x were revealed in March 2022. Threat actors may create fake login pages for Google, Microsoft, Steam, and other services by using this phishing kit. In a recent study, Group-IB showed how a new campaign employing the “Browser-in-the-Browser” strategy targeted Steam users, namely professional gamer accounts. Some well-known Steam accounts are valued between $100,000 and $300,000, and these phishing campaigns seek to sell access to those accounts.
According to Group-IB, the phishing kit employed in the Steam campaign was not readily accessible on hacker forums or dark web marketplaces. Instead, hackers who secretly collaborate on Telegram or Discord channels to plan their assaults use it. Direct messages on Steam are sent to potential victims encouraging them to join a team for LoL, CS, Dota 2, or PUBG competitions. The targets will get at a phishing site for what looks to be an entity supporting and staging esports contests via the links sent by the phishing actors.
Visitors must sign in using their Steam accounts to join a team and participate in a competition. However, the new login page window is a false window made inside the current page, making it exceedingly difficult to identify as a phishing operation. It is not a genuine browser window layered over the original website. The landing pages even support 27 different languages, automatically determining the victim’s preferred language based on browser settings and loading it.
After entering their credentials, the victim is prompted to submit the 2FA code on a new form. A notice appears if the second step is failed. The user is typically routed to a URL supplied by the C2 if the authentication successfully reduces the possibility that the victim would become aware of the intrusion. The victim’s login information has already been taken and delivered to the threat actors. Similar attacks involve brief account takeovers by threat actors who then modify the victims’ email addresses and passwords to make it more challenging for them to recover control of their accounts.
Since the phishing window is only a render of a browser window rather than an actual browser window, threat actors are allowed to display whatever they want in all instances of Browser-in-the-Browser phishing. The same holds for the lock icon for the SSL certificate, which denotes an HTTPS connection and gives the victims a false sense of security. Even worse, because the phishing kit allows users to slide the fake window around, enlarge it, and collapse it, it is exceedingly challenging to identify it as a phony browser-in-the-browser window.