Novel BitB attacks facilitate Steam credential theft

New attacks aimed at exfiltrating Steam credentials and compromising Steam account access have been leveraging the novel Browser-in-the-Browser phishing technique, which was initially reported to enable the creation of fraudulent Microsoft, Google, and Steam login forms, according to BleepingComputer. Attackers behind the Steam phishing campaign have been using a BitB phishing kit mainly distributed in private Discord or Telegram channels, while victims are being lured through invitations to join teams for various tournaments sent via direct messages on Steam, a Group-IB report found. Such messages contain links that would redirect to a phishing site impersonating an esports competition sponsor, which then requires visitors to use their Steam account to login. Once the Steam credentials have been inputted, the site triggers another form requesting a two-factor authentication code, with successful authentication prompting redirection to a command-and-control center-specified URL that seeks to conceal the compromise, said Group-IB. Researchers added that the theft of credentials could enable attackers to immediately hijack accounts and modify their credentials.