Steam hackers are hijacking accounts with this sneaky trick — would you fall for it?

(Image credit: Valve/Snappa)

Watch out, PC gamers! Hackers are on the prowl for your Steam account and they're using slippery methods to snatch it from you. According to a report from Group-IB, a cybersecurity firm, malicious actors are using a sneaky phishing strategy that lures unwitting users into inputting their credentials into sign-in pages.

Of course, you may be thinking, "There's no way I'd fall for that!" Although some phishing campaigns use half-baked, unconvincing, fraudulent pages to bait victims, Group-IB claims that the technique in its report, called "browser-in-the-browser," uses legitimate-looking windows that look indistinguishable from its authentic counterpart.

What is a 'browser-in-the-browser' phishing attack?

Steam uses a pop-up window for user authentication — not a new tab. As such, hackers take advantage of this by luring unwitting victims into interacting with a pop-up that mimics Steam's UI, but of course, it's a trap.

How do they get victims to click on these inauthentic, faux Steam pop-ups to begin with? Well, many cybercriminals masquerade as League of Legends, DOTA 2, PUBG, or Counter-Strike gamers and ask users to join their team. They also offer discounted cybersport tickets, ask users to vote for their favorite teams, and more.


"Bait webpage" for browser-in-the-browser attack (Image credit: Group-IB)

Once the user clicks a button on the "bait webpage," as Group-IB calls it, it launches a data entry form that mimics a legitimate Steam window. It even has an additional Steam Guard window for two-factor authentication (and a fake SSL certificate lock icon).


Example of "browser-in-the-browser" phishing attack (Image credit: Group-IB)

"Unlike traditional phishing resources, which open phishing webpages in a new tab (or redirect users to them), this type of resource opens a fake browser window in the same tab in order to convince users that it is legitimate," Group-IB said.

Some fraudulent Steam windows go as far as warning users that they're linking their account with a third-party company, adding an added layer of faux legitimacy to the deceptive phishing scheme.

Steam pop-up

(Image credit: Group-IB)

Oh yeah, these cybercriminals are that sneaky. Group-IB said that this phishing scheme is only available to select groups. The hacking teams who have access to this phishing kit offer phishing-for-hire services. In other words, cybercriminals sell access to Steam accounts, and Group IB reported that some pro-gamer accounts are valued at nearly $300,000.

How to protect yourself

Group-IB offered a checklist in its report to help Steam users spot a browser-in-the-browser phishing attack.

1. Check whether a new window opened in the task bar. If not, the browser window is fake.

2. Try to resize the window. If the window is fake, you won't be able to resize it.

3. Minimize the window. If the window is fake, the "minimize" button will close it.

4. Click on the SSL certificate lock icon. If it's fake, nothing will happen.

5. The address bar in fake windows are not functional.

Avoiding this phishing attack is fairly easy. Always be skeptical of unknown users requesting you to join their team or making other requests. If the message involves you clicking a URL, your suspicions should be heightened. No matter how legitimate or authentic a webpage may look, refrain from inputting your Steam credentials, especially if the link was sourced from a total stranger.

Kimberly Gedeon

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!