Attackers have been targeting users of the popular Steam online gaming platform by using an emerging phishing tactic that deploys authentic-looking fake browser windows to steal credentials and take over accounts. The widespread campaign is a signal to businesses that the novel technique should be on security radars going forward.
Dubbed "browser-in-the-browser," the savvy phishing approach was first spotted about seven months ago by a researcher who goes by the name "mr.d0x."
The technique involves opening a pop-up window or a new tab that looks like any other browser window. However, this window is actually a phishing page that steals credentials, in this case allowing attackers to defraud gamers on Steam (which has more than 120 million users) of potentially thousands of dollars, according to researchers at Group-IB.
Browser-in-Brower: A New Threat
While targeting Steam users is not a new tactic, using a browser-in-the-browser method is — and it's why this recent campaign is having success where others did not, Group-IB's Ivan Lebedev, head of CERT-GIB anti-phishing and global cooperation group, and Dmitry Eroshev, CERT-GIB analyst, wrote in a recent blog post.
"Fraudsters have been creating hundreds of phishing resources masquerading as Steam for more than 20 years, but most of these websites looked half-baked and users easily spotted a fake," they wrote.
Indeed, phishing has been around so long most people browsing the Web are aware of it, which has forced attackers to get more creative and savvy in how they fool users into falling for their bait — hence the emergence of novel techniques that make phishing pages harder to spot.
One thing allowing attackers to have success with browser-in-the-browser phishing on the Steam platform is that it uses a pop-up window for user authentication instead of opening a new tab, the researchers said.
"User authentication in a pop-up window instead of a new tab is becoming increasingly popular with legitimate websites and platforms, including Steam," the researchers wrote. "This method meets users’ expectations and therefore is less likely to arouse suspicion."
While new user accounts are of minimal value, in the tens of dollars, Steam can prove a lucrative target for attackers if they manage to take over a leading player's account, which can be worth between $100,000 and $300,000, they said.
How It Works
Browser-in-the-browser phishing starts similarly to a typical phishing campaign, with a malicious message that contains some kind of offer.
In the case of the Steam campaign, attackers send a message to a Steam user asking them to join a team for a tournament inside the platform, to vote for the user’s favorite team, or to buy discounted tickets to cyber-sport events, among other lures, the researchers said.
The researchers also have seen attacks that baited viewers of a popular gameplay video — which is a recorded stream — by giving them an option to visit another resource to receive a free in-game skin. This lure shows an ad redirecting users to the phishing website on both on the screen and in the description of the video.
Clicking on almost any button on one of the bait webpages opens an account data-entry form that mimics a legitimate Steam window, the researchers said. To make it appear authentic, the page includes a fake green lock sign, a fake URL field that can be copied, and even an additional Steam Guard window for two-factor authentication, they said.
Key Differences to Traditional Phishing
There are a number of differences between typical phishing campaigns and browser-in-the-browser methods that make the novel technique more effective. A key one is how the phishing page is opened once a user takes the bait and clicks on a link or button, the researchers said.
In a typical phishing campaign, a user is redirected to a new tab or website to display the phishing data-entry form. In browser-in-the-browser campaigns; however, the page that lifts user credentials opens in the same tab as the original page instead of a new tab, which helps add to its legitimacy.
Other aspects that give the phishing page more credibility is that the URL in the address bar is identical to the legitimate one rather than displaying a different URL, which a user can easily spot as fake. The fake window in a browser-in-the-browser campaign also displays an SSL certificate lock symbol, which gives a user confidence, the researchers said.
Moreover, despite the window being fake, it functions very much like a typical webpage. The “minimize” and “close” buttons work correctly, and the window can be moved across the screen like real ones can, they said.
All of that said, there are some giveaways that the page is fake. For instance, the size of the page is limited to the browser windows, i.e., it can't be moved beyond the browser window, like real pages can. However, most users don't notice this limitation, the researchers noted.
If a user is fooled by the fake webpage and goes on to enter data, the data immediately is sent to threat actors and entered on a legitimate login page so they can take over the account. Victims even see an error message if they enter their info incorrectly, as they would with a legitimate login to their accounts, the researchers noted.
The fake webpage even triggers two-factor authentication if a victim has it enabled, returning a code request, the researchers said. Attackers manage this by creating the code using a separate application, which sends a push notification to the user’s device.
Spotting Fake Webpages
There are a number of ways Web users can spot if they are being baited by attackers using a browser-in-the-browser technique.
As mentioned before, trying to resize the window is a dead giveaway of a browser-in-the-browser phishing campaign, as a window won't resize if it's fake, the researchers said. "In such cases, you will also not be able to maximize it using the corresponding button in the header," they wrote.
Users also can try to move the window to spot a fake, as they will not be able to move a phishing window. Also, if they try to minimize the window and it closes instead, this also can indicate a fake webpage, the researchers said.
Another way to spot a fake is by comparing the header design and the address bar of the pop-up window, as in some browsers, a fake page can look different from a real one, they said. Users should pay particular attention to the fonts and to the design of the control buttons.
People also can check whether a new window opened in their taskbar when they see a new credential tab open that appears authentic. If not, then the browser window is likely a fake, the researchers said.
Finally, a user can check to see if the address bar of a new tab that pops up is actually functional and allows for typing in a different URL. If not, they said, the window is fake.