Steam accounts are at risk of browser-in-browser phishing attacks

Beware of hackers

Steam accounts are at risk of browser-in-browser phishing attacks

Steam users fall victim to a wave of browser-in-browser phishing attacks

Malwarebytes has issued a warning to Steam users about a new wave of phishing attacks that have seen the login credentials of stolen, allowing attackers to take control of a gamer's Steam account. Some of these attacks even accommodate for the protections provided by Steam's Guard mobile authentication system. 

Attackers are using so-called browser-in-browser phishing techniques to harvest the Steam credentials of gamers, often using eSports teams and "votes" as a way to bring Steam users onto fake competition websites. These attacks often start when a compromised account sends a message to potential victims, asking them to join a team or league, or to enter a website and vote for their favourite eSports team/organisation.

Once on a fake eSports website, users are asked to log into their Steam account using a "browser-in-browser" technique that makes it appear like they are logging into their Steam account through an official Steam URL. Once Steam credentials are entered, the site will then ask for a Steam Guard authentication code. Once these details are gathered, attackers will log into their victim's Steam account and take control of it. 

Steam accounts are at risk of browser-in-browser phishing attacks

How to avoid these attacks

Malwarebytes has released the following tips that Steam users can utilise to protect themselves from these kinds of phishing attacks. 

1. Block JavaScript on your browser (though this may break some websites)

2. Ignore all messages from Strangers on Steam that are related to the following topics. 

- Joining an E-sports league

- Joining or helping out an E-sports team

- Voting for a team or individual

- The promise of cheap items or trades/discounts

- Free games, bonus promotional offers and items

- The “I accidentally reported you” scam

You can join the discussion on Steam users getting hit by browser-in-browser phishing scams on the OC3D Forums.

«Prev 1 Next»

Most Recent Comments

14-09-2022, 13:17:34

Peace
I've fallen victim to this, but that was months ago. Malwarebytes is pretty slow on this topic.


But yes, it can happen to anybody and I knew the person who sent me the message, I just didn't read too carefully. Luckily, a friend asked me a day later if my account got hacked. Funnily enough, the attacker didn't change the password, so I could take control back and change credentials.Quote

14-09-2022, 16:34:43

Dicehunter
The only place you should be entering your Steam details is through the official launcher and never click on links in messages, I thought both of these things were basic common sense account security knowledge.Quote

14-09-2022, 16:36:03

Dawelio
Quote:
Originally Posted by Dicehunter View Post
The only place you should be entering your Steam details is through the official launcher and never click on links in messages, I thought both of these things were basic common sense account security knowledge.
Just read the article and the length you'd have to go through to actually get your account compromised is a bit ridicolous. Like entering your details and also authorising it? I mean, come on, at that point you'd have a gut feeling that something isn't right...Quote
Reply
x

Register for the OC3D Newsletter

Subscribing to the OC3D newsletter will keep you up-to-date on the latest technology reviews, competitions and goings-on at Overclock3D. We won't share your email address with ANYONE, and we will only email you with updates on site news, reviews, and competitions and you can unsubscribe easily at any time.

Simply enter your name and email address into the box below and be sure to click on the links in the confirmation emails that will arrive in your e-mail shortly after to complete the registration.

If you run into any problems, just drop us a message on the forums.