Steam account credentials phished in browser-in-a-browser attack

Steam users are once again under threat from a particularly sneaky tactic used to steal account details. As with so many Steam attacks currently, it accommodates for the possibility of users relying on Steam Guard Mobile Authentication for additional protection. It also makes use of a recent “browser within a browser” technique to harvest Steam credentials.

The attack leans into a common threat tactic where Steam is concerned, which is E-sports and other tournament related events. This is a tactic that has been around for years, and it usually takes one of two forms.

  1. Steam users are asked via Steam Chat or forum posts to “vote” for someone’s favourite team on a competition website. These requests often come from compromised accounts themselves. The bogus site phishes the victim at what claims to be the voting stage. These sites may also ask users to turn off their Steam Guard protection before submitting their username and password.

  2. Scammers ask Steam users to join a team or league, and direct them to malware or phishing pages.

It’s the second of these possibilities that is used as this particular scam’s launch pad.

A browser in a browser

In this case, people are asked if they can play. If not, they’re asked if they can at least vote for the scammer’s non-existent team. In this case, it’s a Roblox team in the “Metanola Cup”.

The fake site emulates what appears to be a site dedicated to organising and promoting various E-sport competitions and teams. This is where the sneaky part comes into play. This particular scam makes use of a “browser in a browser” attack first mentioned on Bleeping Computer in March of this year. The fake browser window sitting inside the real thing can make it very difficult to realise you’re looking at a phishing attempt.

In this case, most potential victims would assume the popup inside the main browser window, which appears to display the genuine Steam URL and “Valve Corp. [US]” next to the green padlock, is the real thing. It even detects your language from the browser preferences and then selects one of 27 different types.

Finally, the site asks for the user’s Steam Guard authentication code. This is the 2FA code displayed on the Steam mobile app when logging into your account. Without the code, you can’t login. The scammers will harvest these codes and either have the details entered automatically, or do it manually. If they choose to do this manually and they’re not around when victims are handing over details, their window for success is going to be quite short.

Avoiding Steam-focused attacks

As mentioned in the Bleeping Computer article, this is not an easy tactic to spot in the wild. Blocking JavaScript is one way to do it, but you risk compromising the functionality of many websites if you go down this path. The best defence is to studiously ignore any and all messages sent your way from strangers in relation to the below, and this includes topics unrelated to E-sports:

  • Joining an E-sports league

  • Joining or helping out an E-sports team

  • Voting for a team or individual

  • The promise of cheap items or trades/discounts

  • Free games, bonus promotional offers and items

  • The “I accidentally reported you” scam

Stay safe out there!