Group IB’s security researchers it has found a new way that hackers are using phishing to steal Steam accounts.
Group IB’s research shows how hackers use a sneaky phishing kit to steal Steam accounts. Criminals use social engineering to get information about Steam accounts, which they then sell online. Several high-profile accounts it has reportedly sold for $100,000 to $300,000.
Techniques Used
The hackers mostly talk to each other through Discord or Telegram. They use a phishing kit that can launch “browser-in-browser” attacks. Which is a rare method in the underground cyber world. Hackers contact the best players in games like CS. GO, Overwatch, Dota 2, PUBG, and others, and invite them to tournaments.
The invitation has a malicious link that sends people to a fake website for a tournament that pretends to get connected to a real company. In order to sign up for the tournament, the website gives you a “pop-up” window, which isn’t actually a browser pop-up, into which you must enter your Steam credentials. It’s a fake pop-up that steals personal information, including the victim’s two-factor authentication code.
Read more: 10-year-old Pakistani YouTuber wins a diamond play button
If you enter the code wrong, the website will show you an error message, but if you put in the right information, you will arrive at a real website, making it look like the whole thing is real. Worst of all, the victim probably won’t realize they’ve hacked because the link in the search box will look real.
You can stop these attacks from happening by turning off JavaScript in your browser, but doing so is drastic and will make many websites stop working. Players must become careful when joining tournaments through links shared in Telegram or Discord groups.