ENGLISH
ENGLISH
13.09.2022

Letting off steam

Hackers use the browser-in-the-browser technique to steal Steam accounts

Ivan Lebedev
Head of CERT-GIB Anti-phishing and Global Cooperation Group
Dmitry Eroshev
CERT-GIB Analyst
"I want to tell you the story of how I was scammed and lost my Steam account, including more than 100 games bought and donations totaling more than $200." Or, "I spent hundreds of dollars on my Steam account and bought at least 20 games, some with add-ons." There are dozens — if not hundreds — of similar stories. In July alone, CERT-GIB specialists identified more than 150 fraudulent resources mimicking Steam, a major online gaming platform. To steal Steam credentials, hackers have been using a new phishing technique called browser-in-the-browser, which tricks users into thinking that a fake webpage is a legal resource.

Half-Life, Counter-Strike, S.T.A.L.K.E.R., Dota 2… Over the years, these popular video games have been released on Steam, a platform created by Valve in 2003. Today, Steam boasts more than 120 million users, and its portfolio includes more than 50,000 titles. A newbie’s Steam account costs within a few tens of dollars, while the account of a leading player can be worth between $100,000 and $300,000. Fraudsters have been creating hundreds of phishing resources masquerading as Steam for more than 20 years, but most of these websites looked half-baked and users easily spotted a fake.

A new threat emerged out of nowhere, and its name was browser-in-the-browser. A researcher with the moniker mr.d0x was the first to describe this phishing technique, in spring 2022. Using the technique, hackers create a fake browser window on a phishing resource, which at first glance is indistinguishable from the authentic one. Threat actors decided to take advantage of the fact that Steam uses a pop-up window for user authentication instead of a new tab. Since browser-in-the-browser technology poses a significant risk to users, we decided to analyze it in detail using an example of a phishing kit located on a resource that mimics Steam. CERT-GIB has warned Valve about the threat.

Tickets to a CS tournament: How the scheme works

To lure victims to a bait webpage that contains a login button, threat actors send messages to users offering various appealing offers: to join a team for a LoL, CS, Dota 2, or PUBG tournament, to vote for the user’s favorite team, to buy discounted tickets to cybersport events, and more.
In another case, viewers of a popular gameplay video (a recorded stream) were given the option to visit another resource in order to receive a free in-game skin. An ad redirecting users to the phishing website was shown both on the screen and in the description of the video.
Almost any button on bait webpages opens an account data entry form mimicking a legitimate Steam window. It has a fake green lock sign, a fake URL field that can be copied, and even an additional Steam Guard window for two-factor authentication.
Unlike traditional phishing resources, which open phishing webpages in a new tab (or redirect users to them), this type of resource opens a fake browser window in the same tab in order to convince users that it is legitimate. Users can even switch between 27 webpage interface languages.
A phishing page that uses browser-in-the-browser technology

What is the difference between browser-in-the-browser and traditional phishing?

User authentication in a pop-up window instead of a new tab is becoming increasingly popular with legitimate websites and platforms, including Steam. This method meets users’ expectations and therefore is less likely to arouse suspicion.
A link in the “address bar” of the fake window is identical to the legitimate one since it is not the real browser window. Users can highlight, copy, and open it in another tab to check whether it is legitimate.
The address bar of the fake browser displays a lock symbol of the organization’s SSL certificate.
Despite the window being fake, the “minimize” and “close” buttons work correctly.
The fake window can be moved across the screen like real ones can. Its size is limited to the browser window (it cannot be moved beyond the browser window), but most users do not notice this functional limitation.
In many cases, browsers block legitimate pop-up windows, yet fake ones evade blocking.



The contents of BitB phishing pages are also worth noting. Such webpages are fully copied from legitimate ones. In many cases, they even include an alert about data being saved on a third-party resource.
A legitimate webpage for entering account data
Phishing pages can have all buttons disabled except for login confirmation and language switching. All 27 interface languages are fully functional, and the selection is identical to the one used on the legitimate page. The initial language is chosen automatically depending on browser preferences.

Data entered by users is immediately sent to the threat actors and automatically entered on the legitimate resource. If the data is incorrect, victims see an error message.
The error displayed if the account data is entered incorrectly
Install Steam Log in Language STEAM STORE COMMUNITY ABOUT STEAM SUPPORT
Log in using your Steam account on challengermode.com
Incorrect account name or password
Steam username
Password
Log in
If you access challengermode.com via Steam:
- Your Steam account data will not be shared with third parties
- A unique digital identifier will be sent to challengermode.com. This means that challengermode.com will be able to identify your Steam profile and access any profile information that you have made public
- challengermode.com will receive access to any public information on your Steam profile
By pressing Log In, you agree to share this data
If the victim has enabled two-factor authentication, the resource returns a code request. The code is created using a separate application, which sends a push notification to the user’s device.

Phishing kit analysis

The phishing kit that was used to create the analyzed resource includes the following directory tree structure:
The directory structure of the phishing kit
The phishing kit lacks certain PHP scripts that are typical for phishing resources: the website is based on two HTML pages and several JS scripts. There is no protection against researchers: the phishing resource is accessible from any location with any access conditions. As such, threat actors can expand the reach of potential victims while decreasing the lifespan of the phishing page since it takes less time to detect and block it.

As already demonstrated, the first page of the phishing resource (index.html) can be designed in many different ways. For a phishing resource to function properly, only three components are required:
1
A JS script that creates a fake browser window (fnqduadizanu.js)
2
Links to an HTML file with a data entry form (steam.html)
3
A button which, when clicked, opens a method for creating a fake browser window
The rest of the file’s contents can be changed without disrupting its functionality, which means that the file can be modified with no development costs.

Rendering a browser-in-the-browser page

The method window.$oA (), which is fetched upon clicking on the button, is described in the file fnqduadizanu.js. When the script is loaded, the function E () is assigned to the method window.$oA.
The initial code of this function is obfuscated to complicate analysis. Most elements used by the script are collected in a single array, which is accessed using functions.
Depending on the value in the parameter window.$authType, the script creates either a fake window using the method document.createElement or a new window using the method window.open. This parameter is returned when sending a request to the threat actors’ C&C server, for which the domain is indicated in the file steam.html. The URL for calling the server is generated pseudo-randomly by the A(8) function call.
The domain of the threat actors’ C&C server
The URL addressed by the phishing resource with the value $authType
A fake window contains only three elements:
-1-
A window header with control buttons
-2-
An address bar
-3-
The contents of steam.html embedded using the tag iframe
The structure of a BitB window
The choice of the file loaded into the iframe is determined by the variable window.$sd, which is specified in the index.html. This structure allows threat actors to create a phishing resource that mimics a different brand just by changing HTML files, without making any changes to the scripts.

The functions of processing the input data and requesting additional codes are performed by the script steam.js. The data input into the forms are sent to the threat actors’ C&C server, the URL of which is specified in the fields $domainToLogin and $loginLink in the file steam.html.
Account data are sent as is, without performing any additional verifications. The 2FA and SMS codes are verified for length (5 or 7 symbols) and assessed using the following regular expression:
The stolen data are input on the side of the C&C server. Depending on the result, a request containing a code for further action is sent to the phishing resource.
Unlike phishing-as-a-service schemes, which usually involve developing phishing kits for sale, Steam phishing kits are kept secret. The campaigns are carried out by hacker groups who come together on underground forums or Telegram channels and use Telegram or Discord to coordinate their actions.
Topic name
Hiring workers for Steam Phishing

Topic message
We hold regular events to increase the payoff percentage to 95%.
1 log = bot switch
Anti KT system
PS. Yes, I know there are grammatical mistakes. Our editor is not a native Russian speaker. He left, and I don't want to spend time to edit the banner, so I use the one I have, cause TIME IS MONEY.
By participating in this scheme, not only will you earn some cash, you will improve your English along the way; I will help you personally.
We need brainy guys to work on a long-term collaborative project, not just for a couple of days to wrap things up.
Our team has already been working together for almost a year.
Join our crew: we have each other's backs, and that's the only way for us to grow and to help phishing rise from its knees.
We work with Rust, CS:GO, Dota, TF2, H1Z1 -
payoffs - and any help we can provide (with some exceptions, of course).
Private schemes are also on the way, and top performing workers will always be in the know.
TG:
As soon as we recruit 35 trustworthy workers, we'll have all kinds of bonuses and such.
Use the bot to send your applications, THE BUTTON CAN BE CLICKED ON
- Project functionality: a bot that delivers logs/maFiles
- Detailed panel manual
- Continuous support: we will answer any questions. Our project has been created to help develop Steam phishing
- Increasing prices on the LZT market
- Creating comfortable conditions for workers
Pinned message
We accept any candidate over 14 1) How much will I get paid per week? - It depends on…

Welcome to our Telegram channel. We offer a brand new, super efficient scam scheme. See the FAQs about it below. If you have any more questions, write here: WE ACCEPT ANYONE OVER 14
1) How much will I get paid per week? - It depends on how hard you work and how motivated you are. 2) What fee do I need to pay to access the private chat? - There is no entry fee as such. However, we will need a security deposit of $15 to guarantee that you won't abandon us after receiving the admin panel and website database access. 3) Who do I need to contact to make a purchase? … ; 4) What guarantees do I have that you will not take me for a ride? - We're interested in hiring new workers and have no incentive to cheat you: we profit from the scheme as much as you. 5) When are payments due? - At the end of each week you will receive the sum you earned. 6) We promise to keep your personal data confidential.
Recommendations: How to identify a fake browser window
Compare the header design and the address bar of the pop-up window. In your browser, a fake page can look different from a real one. Pay attention to the fonts and to the design of the control buttons.
Check whether a new window opened in the taskbar. If not, the browser window is fake.
Try to resize the window. If the window is fake, you will not be able to resize it. In such cases, you will also not be able to maximize it using the corresponding button in the header.
Try to move the window. Since a fake pop-up window is limited in size to the browser window, you will not be able to move it over the control elements of the initial window.
Minimize the window. If the window is fake, the “minimize” button will close it.
Check whether the lock symbol signifying the certificate is just a picture. If the window is fake, nothing will happen when you click on the lock. Authentic browsers display SSL certificate information.
A fake address bar is not functional. In some cases, it does not let users input a different URL, and even if it does, users cannot open it in the same window.
Fake windows will not be displayed if you disable the execution of JS scripts in the browser settings.
Be careful ⁠— do not fall victim to fraud! Businesses can fight new phishing techniques and protect their digital assets by using the comprehensive solution Group-IB Digital Risk Protection. All operations related to scanning resources, underground forums and chats, and analyzing data and detecting illegitimate brand use are performed by automated monitoring tools (parsers, web crawlers, APIs). Depending on the incident type, various response measures are taken, from directly blocking the resource to deleting illegal websites and applications from search results.