October 6, 2022
Threat actors are turning to the increasingly popular Browser-in-the-Browser (BitB) phishing technique in a new malicious campaign focused on stealing Steam user accounts.The BitB method involves forging realistic phishing popup windows, often from pre-made templates, and deploying them in active windows to replicate legitimate popup login forms. Unlike other techniques, it lets attackers display custom…

Threat actors are turning to the increasingly popular Browser-in-the-Browser (BitB) phishing technique in a new malicious campaign focused on stealing Steam user accounts.

The BitB method involves forging realistic phishing popup windows, often from pre-made templates, and deploying them in active windows to replicate legitimate popup login forms. Unlike other techniques, it lets attackers display custom URLs to increase the apparent legitimacy of the phishing page, making it less obvious to unsuspecting users.

Perpetrators quickly picked up on the new technique and started to use it against various services. Most recently, threat actors have taken an interest in high-profile Steam user accounts.

In a new campaign seemingly aimed at professional gamers, or generally owners of Steam accounts worth a fortune, attackers lure their victims under the pretenses of rewarding gaming tournaments. Unsuspecting users are led to a phishing site where they’re asked to log in to their Steam accounts for various reasons, including voting for teams in competitions or signing up for tournaments.

Attackers cunningly rely on the BitB technique to create a convincing Steam popup login window and display it inside the phishing website, as Bleeping Computer reports. However, the form isn’t actually displayed in a new window; instead, it uses JavaScript to emulate a popup login form almost imperceptibly.

The faux login form has full functionality and could easily pass as genuine to the untrained eye. Should the victim enter their credentials, the window would generate a new form, prompting them to provide their 2FA code and triggering an error if the code is not the right one.

Successfully authenticating would send the credentials to the threat actors and usually redirect the victim to a legitimate URL to avoid raising suspicion. At this point, proficient attackers often proceed with changing account email addresses and passwords to muddle the victims’ attempts to recover their stolen accounts.

Browser-in-the-Browser attacks can be hard to detect, especially if a sense of urgency is involved (e.g., the attacker makes a seemingly great, limited–time offer). In this case, traditional caution tips such as checking the URL or the SSL certificate padlock symbol are ineffective as perpetrators can easily display fake legitimacy elements.

Users could interact with the emulated window in various ways: minimizing, maximizing, closing or simply dragging it around. A dead giveaway would be that the fake window doesn’t create a new tab in the taskbar as a regular popup would.

The most effective way to mitigate BitB attacks is to block JavaScript, as the technique heavily relies on it. Unfortunately, so do many popular websites, which makes users reluctant to embrace such a drastic measure.

Turning to specialized tools such as Bitdefender Ultimate Security can give you the upper hand against cyber threats, thanks to its advanced array of features:

  • Anti-phishing module that detects and blocks websites that mimic legitimate ones to steal your data or credentials
  • Network threat prevention against suspicious network-level activities
  • Web-filtering technology that helps you avoid harmful websites
  • Advanced filtering module that warns you of websites that may try to scam you

Source