A sophisticated Steam scam is leading people to inadvertently give their Steam account information to hackers. The scam works via browser-in-browser technology, which dupes users into thinking they're inputting their credentials into a legit Steam site when they're not.
How does this new Steam scam work?
As the most popular PC digital distribution platform, Steam is naturally the home of plenty of scams. Whether it's indie devs being targeted by fraudulent curator reviews or games covertly installing crypto mining software on players' PCs, Steam is no stranger to hackers and scammers trying to make a quick buck. This latest Steam scam, though, might be the most sophisticated one yet.
According to cybersecurity firm Group-IB, hackers are now using Steam browser-in-browser popups to imitate legitimate Steam login prompts, thus encouraging users to input their account credentials to connect Steam to some service or other. Unbeknownst to those users, though, these popups are actually scams, and this can result in the loss of control over Steam accounts.
Bait websites for this Steam scam can take the form of links included in YouTube video descriptions, as well as sites that mimic existing pages. Unlike traditional phishing scams, these sites don't open in separate tabs; rather, they open as fake browser windows within the same tab (hence "browser-in-browser").
Clicking anywhere on these pages will take you to a Steam login window where you can enter your credentials. The fake browser window within your existing tab displays a legit-looking Steam link and even an SSL certificate lock, leading you to believe it's above board. Hackers have even gone to the trouble of allowing you to change languages, adding to the "authenticity" of the browser window.
There are other slightly scary elements to this new, sophisticated scam as well. Since you'd expect a Steam login to prompt you to input an authentication code if you've got an authenticator set up, that's exactly what these browser-in-browser windows will do. Inputting your phone number will actually send a code to your device, mimicking the process by which Steam sends codes (although Steam uses the app if you have it installed).
It's worth reading the full Group-IB post if you want to see exactly how the phishing scam works. There are a lot of technical details included in the post, but you'll also get to see Russian phishing groups recruiting members and setting up the scam by telling others how to build fake Steam pages. The level of sophistication and effort involved here is worrying, but there are steps you can take.
What can you do to avoid this Steam scam?
This might be a pretty sophisticated scam, but it's actually pretty easily avoided if you know what you're looking for. Per Group-IB, here are some of the things you can do if you want to avoid being scammed by this phishing scheme.
- Check your browser's fonts and header style. An in-browser window can look different from how your browser usually renders fonts and other visual elements.
- Check if there's a new window in your taskbar. If there isn't, it's a fake browser window.
- Try to resize the window (not with the maximize button, but by stretching or shrinking it). If you can't, it's likely fake.
- Try to move the browser window beyond the confines of your original tab. You probably won't be able to.
- Minimize the window; doing so will close a fake in-browser window.
- Click the SSL lock. If nothing happens, the window is fake.
- Try to input a different URL into the address box. If you can't, then it's probably a fake window.
- Disable Javascript execution in your browser settings. This will prevent fake windows from being displayed at all (but could also have other effects).
Make sure you're being vigilant for this scam, because it could have serious consequences for you if you fall victim to it. These consequences include having your Steam account info stolen, as well as other, potentially even more serious financial consequences if that account has payment info set up. Be on the lookout and you should be fine.
