A new ‘browser-in-the-browser’ attack threatens Steam users

Receiving a Steam message from someone trying to scam you out of a Team Fortress 2 hat was a rite of passage for PC gamers in the 2010s, but today’s phishing techniques are much more sophisticated. The latest attack looks like a real opportunity for up-and-coming competitive gamers, secure login form and all.

Security firm Group-IB (opens in new tab) (via Bleeping Computer (opens in new tab)) says that this sophisticated “browser-in-the-browser” phishing technique appeared “out of nowhere” earlier this year—it was first spotted researcher by mr.d0x (opens in new tab)—and has been snaring Steam users since. According to the company, the key to the method is that the attackers don’t just mimic a webpage, but an entire pop-up browser window. That allows them to make a fake Steam login form look trustworthy by displaying a fake SSL certificate lock symbol and other illusions.

Leave a Comment