New attacks aimed at exfiltrating Steam credentials and compromising Steam account access have been leveraging the novel Browser-in-the-Browser phishing technique, which was initially reported to enable the creation of fraudulent Microsoft, Google, and Steam login forms, according to BleepingComputer.
Attackers behind the Steam phishing campaign have been using a BitB phishing kit mainly distributed in private Discord or Telegram channels, while victims are being lured through invitations to join teams for various tournaments sent via direct messages on Steam, a Group-IB report found. Such messages contain links that would redirect to a phishing site impersonating an esports competition sponsor, which then requires visitors to use their Steam account to login.
Once the Steam credentials have been inputted, the site triggers another form requesting a two-factor authentication code, with successful authentication prompting redirection to a command-and-control center-specified URL that seeks to conceal the compromise, said Group-IB.
Researchers added that the theft of credentials could enable attackers to immediately hijack accounts and modify their credentials.
T-Mobile has denied being impacted by a cyberattack in April that compromised employee information after VX-Underground reported that it had been notified by threat actors of the attack, which occurred immediately after the telecommunications provider was breached in March, according to The Record, a news site by cybersecurity firm Recorded Future.
Air Canada has confirmed being impacted by a data breach that compromised some of its employees' limited personal data and other records, reports The Record, a news site by cybersecurity firm Recorded Future.