New BitB Attacks Make it Easier to Steal Steam Credentials
New attacks aimed at exfiltrating Steam credentials and compromising Steam account access have taken advantage of the new Browser-in-the-Browser phishing technique, which was originally reported to allow the creation of fraudulent Microsoft, Google and Steam login, according to BleepingComputer. The attackers behind the Steam phishing campaign used a BitB phishing kit mainly distributed on private Discord or Telegram channels, while the victims are lured by invitations to join teams for various tournaments sent via direct messages on Steam, according to a report from Group-IB. These messages contain links that allegedly redirect to a phishing site posing as an esports competition sponsor, which then requires visitors to use their Steam account to log in. Once the Steam credentials are entered, the site triggers another form asking for a two-factor authentication code, with successful authentication prompting a redirect to a URL specified by the command and control center that seeks to conceal the compromise, Group-IB said. The researchers added that stealing credentials could allow attackers to immediately hijack accounts and change their credentials.