'Browser-in-the-Browser' Phishing Attack

Defrauders are using a new phishing technique known as Browser-in-the-Browser to obtain confidential account credentials from their victims. So far, the attackers appear to be mainly targeting Steam users and professional gamers. It is likely that any compromised accounts will be offered for sale, as some prominent Steam accounts have been estimated to be worth between $100, 000 and $300, 000.

Steam is the largest digital distribution platform for PC gaming and its developer Valve Corporation also owns some of the biggest esports titles in the world, such as CS: GO and DOTA 2. The Browser-in-the-Browser phishing attacks begin with bait messages sent directly to users via Steam. The fraudsters invite their victims to join a team for a popular competitive game (LoL, CS, DOTA 2, PUBG) and participate in a supposed tournament. The link found in the lure message will take the unsuspecting victims to a fake site, designed to appear as if it belongs to an organization hosting esports competitions. When users try to join a team, they will be prompted to log in via their Steam account.

Here is where the Browser-in-the-Browser technique comes into play. Instead of the legitimate login window that is typically overlaid over the existing website, victims will be presented with a fake window created within the current page. Spotting that something is wrong is extremely difficult, as the fake window is visually identical to the real one and its URL matches the legitimate address. The landing pages can even choose between 27 different languages to match the default one used by their victims.

Once the account credentials are entered, a new prompt asking for a 2FA (Two-Factor Authentication) code will be displayed. Failure to provide the right code will result in an error message. If users pass the authentication, they will be redirected to a new address that is determined by the operation's Command-and-Control (C2) server. Typically, this address belongs to a legitimate website as a way to mask the actions of the con artists. However, at this point, the victim's credentials have already been compromised and transmitted to the threat actors.

Details about the Browser-in-the-Browser phishing technique and the attack operation as a whole were disclosed to the public in a report by security researchers. According to their findings, the phishing kit utilized in the Steam campaign is not available for sale on hacking forums. It is instead being kept within a narrow circle of cybercriminals who coordinate their activities on Discord or Telegram channels.