A new 'browser-in-the-browser' attack threatens Steam users

Steam
(Image credit: Valve)

Receiving a Steam message from someone trying to scam you out of a Team Fortress 2 hat was a rite of passage for PC gamers in the 2010s, but today's phishing techniques are much more sophisticated. The latest attack looks like a real opportunity for up-and-coming competitive gamers, secure login form and all.

Security firm Group-IB (via Bleeping Computer) says that this sophisticated "browser-in-the-browser" phishing technique appeared "out of nowhere" earlier this year—it was first spotted researcher by mr.d0x—and has been snaring Steam users since. According to the company, the key to the method is that the attackers don't just mimic a webpage, but an entire pop-up browser window. That allows them to make a fake Steam login form look trustworthy by displaying a fake SSL certificate lock symbol and other illusions.

On Steam, the scam's primary targets are competitive and professional gamers, who are being sent direct messages that invite them to join tournaments. If they bite, they're directed to a slick-looking game tournament platform where they're asked to log in using their Steam credentials.

The Steam login pop-up is the fake "browser-in-the-browser" window, and if the user falls for it, the hackers gain access to their Steam account. The prize for the scammers is the account itself and all of the games tied to it, as well as any virtual goods in the user's inventory, such as CS:GO skins. Baiting users with tournament play is perhaps designed to attract competitive gamers who are likely to have expensive items in their Steam inventories, as hardcore CS:GO players can have thousands of dollars worth of skins in their accounts.

The fake pop-up window includes a fake security certificate and supports multiple languages. It can be maximized, minimized, and moved around. Using one's Steam credentials to log into legitimate websites is not uncommon, so some users likely won't think twice about it, given that nothing looks off about the window at first glance.

An example of a browser-in browser phishing hack attempt

(Image credit: Group-IB)

The attack uses JavaScript, according to Bleeping Computer, so a script blocking extension will offer some protection by preventing the code from running. I use a script blocking extension myself, and although it can be a pain when navigating to new sites, I've found it indispensable.

The general rules of the internet remain: If something appears too good to be true, it probably is. And even if it doesn't appear all that good, it might be even worse that it seems, so don't click on links from sources you don't trust and carefully filter or ignore unknown direct messages and emails. Whether it's cryptocurrency, NFTs, or CS:GO skins, if it has a dollar value attached to it, someone will try to steal it. Stay safe out there!

Best CPU for gamingBest gaming motherboardBest graphics cardBest SSD for gaming


Best CPU for gaming: Top chips from Intel and AMD
Best gaming motherboard: The right boards
Best graphics card: Your perfect pixel-pusher awaits Best SSD for gaming: Get into the game first

Chris Szewczyk
Hardware Writer

Chris' gaming experiences go back to the mid-nineties when he conned his parents into buying an 'educational PC' that was conveniently overpowered to play Doom and Tie Fighter. He developed a love of extreme overclocking that destroyed his savings despite the cheaper hardware on offer via his job at a PC store. To afford more LN2 he began moonlighting as a reviewer for VR-Zone before jumping the fence to work for MSI Australia. Since then, he's gone back to journalism, enthusiastically reviewing the latest and greatest components for PC & Tech Authority, PC Powerplay and currently Australian Personal Computer magazine and PC Gamer. Chris still puts far too many hours into Borderlands 3, always striving to become a more efficient killer.

Read more
A computer screen with program code warning of a detected malware script program. 3d illustration
Second Steam listing this year found hiding 'new and clever' malware. This time through a fake demo link on developer's website
Steam logo
A web3 free-to-play survival game found to be a front for installing malware on your PC has finally been removed from Steam
Team Fortress Spy being shocked
An FPS studio pulled its game from Steam after it got caught linking to malware disguised as a demo, but the dev insists it was actually the victim of a labyrinthine conspiracy
A Path of Exile 2 sorceress casting flaming skulls in a hellish landscape
'We are incredibly sorry': Path of Exile 2 devs apologise for data breach that saw 66 accounts snatched and personal info potentially stolen
Path of Exile 2 early access class key art
Around 66 accounts in Path of Exile 2 were compromised, due to a one-two punch of an old unused Steam account and a backend bug
Mister Fantastic giving a thumbs up
A Marvel Rivals player has uncovered 'one of the most dangerous vulnerabilities a game can have' that'll let cheaters take over your PC and find your passwords
Latest in Browsers
Google campus sign
Google asks Trump's DOJ to please, please, please reconsider parting it from Chrome
ANKARA, TURKIYE - SEPTEMBER 06: In this photo illustration, Chrome logo is being displayed on a mobile phone screen in front of computer screen in Ankara, Turkiye on September 06, 2023.
uBlock and a handful of other popular Google Chrome extensions have been axed overnight, but some of them just require turning off and on again
Opera GX, Opera's gaming browser
Morbid curiosity made me swap from Chrome to Opera's 'gaming browser' but its early 2000s custom ringtone vibes give me the ick
The Opera Air 'mindfulness browser' on top of a blurred background
Opera has unveiled 'the world’s first browser with mindfulness at its core' and, to my surprise, I might be convinced
MOUNTAIN VIEW, CALIFORNIA - AUGUST 22: A view of Google Headquarters in Mountain View, California, United States on August 22, 2024.
Google being pushed to sell off Chrome is likely a good thing, but don't cheer on the decision just yet
Chrome Browser Logos
Google has changed its mind about dropping support for third-party cookies in Chrome, after years of trying to make it happen
Latest in News
Two brightly colored stormtroopers dressed like Run-DMC stand in front of PAX Australia's WELCOME HOME banner.
Tickets for PAX Australia 2025 are on sale now
An Enshrouded player in a recreation of Erebor from The Lord of the Rings
Kings under the Mountain! 33 Enshrouded players spent 10,000 hours to recreate this iconic location from The Lord of the Rings
A mech awakens.
Mecha Break developer is considering unlocking all mechs following open beta feedback
Lara Croft Unified Art
Tomb Raider developer Crystal Dynamics lays off 17 employees 'to better align our current business needs and the studio's future success'
A long bendy arm stealing money from people in a subway car
'You're a very long arm. You steal things. It's a comedy game,' explains developer of comedy game where you steal things with a very long arm
The heroes are attacked by monsters
Pillars of Eternity is getting turn-based combat to mark its 10th anniversary, and that means PC Gamer editors will soon be arguing about combat mechanics again