Group IB’s security researchers it has found a new way that hackers are using phishing to steal Steam accounts.
Group IB’s research shows how hackers use a sneaky phishing kit to steal Steam accounts. Criminals use social engineering to get information about Steam accounts, which they then sell online. Several high-profile accounts it has reportedly sold for $100,000 to $300,000.
The hackers mostly talk to each other through Discord or Telegram. They use a phishing kit that can launch “browser-in-browser” attacks. Which is a rare method in the underground cyber world. Hackers contact the best players in games like CS. GO, Overwatch, Dota 2, PUBG, and others, and invite them to tournaments.
The invitation has a malicious link that sends people to a fake website for a tournament that pretends to get connected to a real company. In order to sign up for the tournament, the website gives you a “pop-up” window, which isn’t actually a browser pop-up, into which you must enter your Steam credentials. It’s a fake pop-up that steals personal information, including the victim’s two-factor authentication code.
If you enter the code wrong, the website will show you an error message, but if you put in the right information, you will arrive at a real website, making it look like the whole thing is real. Worst of all, the victim probably won’t realize they’ve hacked because the link in the search box will look real.