Hackers use fake tournaments to steal your Steam account Digital Trends Skip to main content Trending: Wordle Today October 24 Dell XPS 15 vs. Razer Blade 15 Best Dolby Atmos Soundbars iPhone 14 Plus Review Halo Rise vs. Nest Hub 2nd Gen HP Envy x360 13 (2022) Review Best Chromebook Printers Home ComputingNews

Your Steam account could be in danger because of this new phishing technique

By Monica J. White September 13, 2022 Share Hackers are once again targeting gamers, and this time around, you could lose your Steam account if you’re not careful. Through the use of the Browser-in-the-Browser technique, hackers have been able to gain access to some high-profile Steam accounts valued as highly as $300,000. Here’s how the new hack works and how to make sure you’re staying safe. Group-IB This new phishing attack is being carried out by hackers who contact Steam users in a well-concealed attempt to steal their accounts. Some phishing attempts are extremely easy to spot, but in this case, the whole thing seems to be legitimate, which only makes it easier for the hackers to gain control of Steam accounts. Hackers send messages to potential victims via Steam, asking them to join a game of Counter-Strike, Dota 2, League of Legends, Rocket League, PUBG, or another popular esports title. Even if the user doesn’t accept, the hackers request that they vote for their team and provide a link to a website that looks to be an esports organization. The website is quite well made — you’ve certainly seen similar pages before. It supports 27 languages and detects the correct language from your browser settings. In order to join a team and play in a tournament or just a friendly match, the users are asked to log in through their Steam account, complete with the username, password, and even authenticator code if they have enabled two-factor authentication. There’s one problem, though. The login page is not an actual browser window. Instead, it is a fake window that’s embedded within the current page. With this phishing kit, the fake window can even be dragged around, minimized, and maximized, closely resembling a regular pop-up. If the user inputs their credentials and successfully logs in, they are redirected to an address that also appears legitimate. This is done in order to win the hackers some time while the login information is being sent to the attackers. The threat actors then quickly change the victim’s email and password, making it harder to recover the account.

How to protect yourself

Jacob Roach / Digital Trends Many people have fallen victim to similar scams in the past, but now that they’re on the rise again and even harder to detect, it’s best to be careful and take your account security into your own hands. As Group-IB reports, the technique relies on JavaScript (JS) in order to work. Blocking JS scripts would protect you well, but most of us don’t want to do that — many popular websites use JS, so that would affect your entire user experience. Instead, be careful with links you receive from people you don’t know, and even people you do know. Discord and Steam accounts often get hacked, so receiving messages with links, even from friends, can be suspicious. Make sure you verify you’re actually talking to your friend before you ever follow any links sent to you, and if the person is a stranger, don’t bother — just block them.

Editors' Recommendations

YouTube brings pinch to zoom and video navigation changes to everyone Typos can get you hacked in latest cybersecurity threat How your boss can spy on you with Slack, Zoom, and Teams Passwords are hard and people are lazy, new report shows Is Microsoft’s new PC cleaner just an Edge ad in disguise? Microsoft data breach exposed sensitive data of 65,000 companies Instagram’s expanded blocking lets you block a person’s backup accounts Instagram may be adopting this beloved MySpace feature DuckDuckGo’s new browser could help keep Mac users safe on the web Apple quietly launches unprecedented price cuts to its best MacBook Pros We can’t believe how big this Dell business laptop discount is AMD 7000X3D V-Cache CPUs could challenge Intel at CES 2023 Is Microsoft’s new PC cleaner just an Edge ad in disguise? Thanks, I hate it: Someone installed macOS on a Steam Deck Grab a complete PC gaming bundle from Lenovo and save hundreds 3 tech deals you need to shop today: 70-inch TV for $450 and more Apple’s lead designer is leaving the company just three years after replacing Ive How to find saved passwords on your Mac