The attacks, highlighted by Group-IB (via Bleeping Computer), use the browser-in-the-browser technique to make a phishing lure appear genuine. The process starts when a target, usually a competitive or pro gamer, receives a direct message inviting them to join a tournament for the likes of League of Legends, Counter-Strike, Dota 2, or PUBG.
The message is a ruse, of course. The sender includes a link to a professional-looking site of what appears to be an e-sports company that hosts and sponsors tournaments and other competitions. Requesting to join the platform will bring up the familiar pop-up window for logging into Steam. The window is pretty much indistinguishable from the real thing, complete with a selection of 27 languages, an SSL security certificate, a legitimate URL, and a ‘create account’ option. It can even be moved around, resized, and maximized/minimized. But this isn’t a real sign-in pop-up overlaid onto the current website; it’s a fake window created from the existing page. After a victim enters their credentials, they’re taken to a working Steam Guard form asking for a 2FA code (if enabled), adding to the scam’s authenticity.
Even if a user starts getting suspicious at this point, it’s too late as the scammer grabbed their credentials once they were entered into the fake login window. The criminals are now free to pilfer any virtual goods and do whatever they want with the full account access. One method of ensuring you don’t fall for a browser-in-the-browser phishing attack is to use a JavaScript blocking extension—the scam uses JS—though blocking scripts can cause issues with many websites. The other, less intrusive protection methods include those that apply across the entire online space: be wary of direct messages from strangers and don’t click on any links they may contain; and if something seems too good to be true, it almost certainly is.