Steam, the PC gaming platform, has been compromised in a browser-in-the-browser phishing attack that allowed threat actors to access users’ accounts and credentials. This form of attack simulates a login window with a spoofed domain within a parent browser window to steal credentials.
The phishing technique seeks to exploit the Single Sign-On authentication model to trick the user into coughing up sensitive information, chiefly their login credentials.
With Steam, analysts at Group-IB found that in order to lure in victims, the malicious attackers asked them to log into Steam to “join a team for a LoL, CS, Dota 2, or PUBG tournament, to vote for [their] favorite team, to buy discounted tickets to cybersport events, and more”. In other words, users were lured in.
Once Steam credentials are entered, the site proceeds to request a Steam Guard authentication code. After this is entered, the details are gathered and attackers log into their victim’s Steam account and take control of it.
Looking into the matter for Digital Journal is Alon Levin, VP of Product Management at Seraphic Security.
Levin begins by considering the nature of the attack, noting: “Unfortunately, this approach is rising in popularity among threat actors looking to create fake login forms and sell access to accounts.”
The attack method creates fake browser windows within the active window, making it appear as a sign-in pop-up page for a targeted login service.
With the specific incident, Levin continues: “In this case, displaying fake browser windows and login forms has allowed this attack method to access the accounts and credentials of Microsoft and Google users.”
When the computer user proceeds to access Steam, Levin explains: “Visitors are requested to log in and are then redirected to a fake window, where credentials are stolen after being entered by the user.
Moving on to consider the attack method more fully, Levin finds: “Although Browser-in-the-Browser attacks are becoming a more common tactic with cybercriminals, Internet users can mitigate these threats by leveraging comprehensive browser security.”
So how might such attacks be thwarted? Levin explains: “Though users can easily mistake such sites as the one targeted in this phishing attempt for being legitimate, a system that is based on execution flow analysis can thwart these attacks easily.”
Levin adds: “Systems based on execution flow analysis can thwart these attacks, maintain session integrity and prevent other types of phishing and social engineering attacks.”