Skip to main content

Your Steam account could be in danger because of this new phishing technique

Hackers are once again targeting gamers, and this time around, you could lose your Steam account if you’re not careful.

Through the use of the Browser-in-the-Browser technique, hackers have been able to gain access to some high-profile Steam accounts valued as highly as $300,000. Here’s how the new hack works and how to make sure you’re staying safe.

New Steam hack that steals user credentials through a fake login website.
Group-IB

This new phishing attack is being carried out by hackers who contact Steam users in a well-concealed attempt to steal their accounts. Some phishing attempts are extremely easy to spot, but in this case, the whole thing seems to be legitimate, which only makes it easier for the hackers to gain control of Steam accounts.

Recommended Videos

Hackers send messages to potential victims via Steam, asking them to join a game of Counter-Strike, Dota 2, League of Legends, Rocket League, PUBG, or another popular esports title. Even if the user doesn’t accept, the hackers request that they vote for their team and provide a link to a website that looks to be an esports organization.

The website is quite well made — you’ve certainly seen similar pages before. It supports 27 languages and detects the correct language from your browser settings.

In order to join a team and play in a tournament or just a friendly match, the users are asked to log in through their Steam account, complete with the username, password, and even authenticator code if they have enabled two-factor authentication.

There’s one problem, though. The login page is not an actual browser window. Instead, it is a fake window that’s embedded within the current page. With this phishing kit, the fake window can even be dragged around, minimized, and maximized, closely resembling a regular pop-up.

If the user inputs their credentials and successfully logs in, they are redirected to an address that also appears legitimate. This is done in order to win the hackers some time while the login information is being sent to the attackers. The threat actors then quickly change the victim’s email and password, making it harder to recover the account.

How to protect yourself

A Steam Deck sitting on top of a PC.
Jacob Roach / Digital Trends

Many people have fallen victim to similar scams in the past, but now that they’re on the rise again and even harder to detect, it’s best to be careful and take your account security into your own hands.

As Group-IB reports, the technique relies on JavaScript (JS) in order to work. Blocking JS scripts would protect you well, but most of us don’t want to do that — many popular websites use JS, so that would affect your entire user experience.

Instead, be careful with links you receive from people you don’t know, and even people you do know. Discord and Steam accounts often get hacked, so receiving messages with links, even from friends, can be suspicious. Make sure you verify you’re actually talking to your friend before you ever follow any links sent to you, and if the person is a stranger, don’t bother — just block them.

Please enable Javascript to view this content

Monica J. White
Monica is a computing writer at Digital Trends, focusing on PC hardware. Since joining the team in 2021, Monica has written…
AMD and Apple face a dangerous new security flaw
A hacker typing on an Apple MacBook laptop while holding a phone. Both devices show code on their screens.

Researchers from cybersecurity firm Trail of Bits just found a vulnerability that affects some of the biggest brands in tech, namely Apple, AMD, and Qualcomm. The vulnerability, dubbed LeftoverLocals, affects graphics cards made by those companies. That makes it pretty widespread, with it affecting devices ranging from PCs and servers to tablets and smartphones. This flaw, if exploited, could allow attackers to access and steal data from vulnerable devices.

Normally, when working in a shared environment -- such as a workstation or a cloud computing infrastructure -- each user only has access to their own data and resources, even when working on the same hardware. However, LeftoverLocals bypasses these security measures and uses GPU memory to let potential attackers steal data from the other users on that same hardware.

Read more
Steam Year in Review 2023 is live — here’s how to see your Steam Replay
The landing page for Steam Year in Review 2023.

Steam introduced Steam Replay last year for the first time, and it's back again for 2023. As we close out the year, you get a chance to look back at a bunch of stats for 2023, similar to Xbox Year in Review and PlayStation Wrap-Up. Here, we will show you how to see your Steam Year in Review for 2023.

The wrap-up includes a ton of detail, from what games you've played to how many achievements you've unlocked. Steam Year in Review is only live for a limited time, but you can download and share your review while it's running, as well as add it to your Steam profile so you can see it throughout the next year.
How to see Steam Year in Review 2023

Read more
Update your Apple devices now to fix these dangerous exploits
A person using a laptop with a set of code seen on the display.

If you’re an Apple user -- whether you have a Mac, an iPhone, an iPad, or an Apple Watch -- you need to update your devices as soon as possible. That’s because Apple has discovered three actively exploited vulnerabilities that could cause your devices serious harm, and the patches are already out to fix them.

One of the bugs was found in Apple’s Security framework and would allow a malicious app to completely bypass a device’s signature validation. Another bug concerns the WebKit browser engine and could grant a threat actor the ability to run arbitrary code when a victim views a certain web page.

Read more