Browser-in-the-browser attacks are simple yet sophisticated phishing scams. Hackers emulate trusted services via fake pop-up windows that look like the actual (real) login pages. While there have been a lot of reports describing browser-in-the-browser tactics, it is very difficult to actually catch a hacker deploying this campaign.
Fake Steam pages used to target gamers
Cybercriminals are targeting Counter-Strike 2 (a free-to-play tactical first-person shooter game) players using a disguised Steam login page that looks quite convincing. The fake page tricks innocent gamers into giving away their account IDs and passwords.
The hackers distributed the attack on the websites that pretended to represent the sports team Navi. “Part of the campaign’s attack tactics also includes abusing the name of a professional esports team called Navi,” reports cybersecurity vendor Silent Push. The hackers offered visitors free weapons skins or a “free case” that could be used in the game. To get these freebies, the phishing page demanded users to log in to Steam.
“All of the websites our team has found so far were in English save one Chinese site, simplegive[.]cn, which was created in Mandarin, with some English wording, and used the top-level domain (TLD) ‘.cn,” reports Silent Push.