Users of Valve Corp.’s popular gaming service Steam are being targeted by hackers using novel browser-in-the-browser attacks.

BitB attacks, which first emerged in March, involve the use of a simulated login window with a spoofed domain within a parent browser window to steal credentials. As detailed today by researchers at Group-IB Global Pvt. Ltd., Steam users are being duped by the BiTB attacks that start with a phishing campaign.

To trick users into handing over their credentials, those behind the attack lure victims to a fake website that contains a login button with messages offering various offers such as joining a game team or tournament and purchasing discounted tickets to cybersport events. In another case, viewers of a gameplay video were given the option to visit another resource to receive a free in-game item.

Where users are easily tricked is that those behind the campaign take advantage of Steam using a pop-up to log in to their accounts by presenting victims with a fake version of this pop-up. The researchers note that the fake pop-up “has a fake green lock sign, a fake URL field that can be copied and even an additional Steam Guard window for two–factor authentication.”

The fake pages themselves are typically entirely copied from legitimate pages. In many cases, they also include an alert about data being saved on third-party resources.

In July, more than 150 fraudulent resources mimicking Steam were found. How many victims have fallen for the fake pages and BitB is not clear, though the researchers cite multiple examples of users claiming to have had their accounts stolen, including accounts valued as highly as $300,000.

The researchers conclude that aside from blocking JavaScript, which the technique relies on but would also block legitimate websites, users should be careful with links received from people they both do and don’t know. When receiving links from friends on services such as Steam and Discord, users should verify that they are actually talking with their friends before following any links sent to them.

Alon Levin, vice president of product management at browser security provider Seraphic Security Ltd., told SiliconANGLE that the BitB approach is rising in popularity among threat actors looking to create fake login forms and sell access to accounts.

“In this case, displaying fake browser windows and login forms has allowed this attack method to access the accounts and credentials of Microsoft and Google users,” Levin explained. “Visitors are requested to login and are then redirected to a fake window, where credentials are stolen after being entered by the user.”

Although these attacks are becoming a more common tactic with cybercriminals, internet users can mitigate these threats by leveraging comprehensive browser security, Levin added. “Though users can easily mistake such sites as the one targeted in this phishing attempt for being legitimate, a system that is based on execution flow analysis can thwart these attacks easily,” he said.

Image: Steam