October 2, 2023

Researches from Group-IB has came with a report about sophisticated Browser-in-the-Browser phishing technique is snaring Steam users.

Accounts belong to competitive and professional gamers worth hundreds and thousands of dollars are being targeted with fake direct messages on Steam, inviting them to join tournaments. The user will then navigate to a slick looking game tournament platform where they are asked to log in using their Steam credentials and a 2FA code.

Once bypassed, the hackers will have access to the users account, being able to change the login credentials, making recovery difficult. By the time of regaining access, virtual goods such as skins will probably be gone, your credit card info could be compromised or the hacker may use your friends list for further targeting.


This kind of phishing attack is deadly, since it is a mimicking render of a real browser pop up window. An user who is not suspecting any abnormality would believe they are using a real site, complete with a security certificate, multiple languages and a professional design. The attack uses JavaScript as a major source for the attack.

Dodgy links of malicious nature need to be carefully watched. Caution required before clicking any links and validation need to be performed on each action. Accounts with strong passwords and 2FA is an mandate requirement to stay safe.

Leave a Reply

%d bloggers like this: