Browser-in-the-Browser: How Scammers Steal Steam Gamer Accounts

By Ava McKinneyOnline Safety

Browser-in-the-Browser: Scammers Steal Steam Gamer Accounts

Group-IB has discovered 150 fraudulent websites disguised as the popular gaming platform Steam. Scammers are stealing gamer accounts using a subtle phishing technique called “Browser-in-the-Browser.”

Steam currently has 120 million registered gamers, and the number of games sold on the platform exceeds 50,000, including bestsellers like Half-Life, Counter-Strike, and Dota 2. A beginner’s account can be worth dozens of dollars, while top user accounts are valued at $100,000 to $300,000.

Since Steam’s launch in 2003, cybercriminals have tried with varying success to take over high-value gamer accounts, but with limited results. Now, victims are lured to fake pages through chat invitations to join esports tournaments for games like League of Legends, Counter-Strike, Dota 2, and PUBG. On these sites, users can vote for teams, buy tickets, or claim in-game items and skins. Another method is advertising in popular gaming videos (stream recordings, gameplay) or their descriptions.

How the Browser-in-the-Browser Technique Works

According to Group-IB experts, this technique exploits the fact that Steam authentication happens in a pop-up window, not a new tab. Unlike most phishing sites that open a fake page in a new tab or redirect you, this new method opens a fake browser window within the same tab.

Almost every button on these fraudulent sites brings up a login form that mimics the real Steam window. The pop-up includes a fake “green padlock” — the SSL certificate icon. The URL in the address bar of the fake window looks identical to the real one — you can highlight, copy, or open it in another tab. The buttons work correctly, and the window can be moved around the screen. Additionally, the phishing sites found in July let users choose from 27 languages.

When a gamer enters their credentials into the phishing form, the information is immediately sent to the scammer and automatically entered on the official site. If incorrect data is entered (a common way to check for phishing in gaming communities), the fake form will display an error message just like the real Steam. If the victim has two-factor authentication enabled, the phishing site will prompt for the code in an additional window.

“It seems that the old advice that helped gamers spot phishing sites a few years ago is now useless against this new scam method,” says Alexander Kalinin, head of Group-IB’s Incident Response Center. “Phishing sites using Browser-in-the-Browser technology are dangerous even for experienced Steam users who follow basic cybersecurity rules.”

Unlike common scams where phishing toolkits are developed for sale, Browser-in-the-Browser solutions for Steam are kept secret by the scammers.

How to Spot a Browser-in-the-Browser Phishing Form

  • Check the design of the window’s title and address bar. A fake may look different from your browser’s standard style. Pay attention to fonts and the appearance of control buttons.
  • See if a new window appears in your taskbar. If not, the window is fake.
  • Try to resize the window — a fake one won’t let you. You also won’t be able to maximize it to full screen.
  • The window is limited to the browser screen — you can’t move it over the original tab’s controls.
  • The minimize button on a fake window just closes it.
  • The “padlock” icon in the phishing form is just an image. Clicking it does nothing, while the real one shows SSL certificate info.
  • The fake address bar isn’t functional. Sometimes you can’t enter a different URL, and even if you can, you won’t be able to navigate to it in the same window.
  • The window will stop appearing if you disable JavaScript in your browser settings.

Leave a Reply