Luring victims using a realistic- and legitimate-looking fake browser window to steal Steam accounts, this new type of social engineering may be a sign of things to come.
I’ve long written about impersonated brands, fake websites, and spoofed logon pages in countless phishing scams and attacks. But this one separates itself a degree of sophistication higher than anything you’ve seen thus far, potentially resetting the bar for future social engineering attacks.
According to security researchers at GroupIB, the new technique – dubbed “Browser-in-the-Browser” – pops up looking like a new window used for authentication; only it’s actually part of the initial malicious site. In the example below, users of the gaming platform Steam are messaged with appealing Steam-related offers (such as participating in a tournament) that would likely require authenticating to Steam. Once on the page with the supposed offer, a new window appears to pop-up asking the user to authenticate.
Look at the details in the screenshot – what looks like a valid URL is place in the “window” along with a green lock, indicating a proper SSL cert. If you didn’t know better (and now you do), you’d think it was legitimate. What’s actually happening is there is no new window; it’s just a very impressively-designed in-site page that collects credentials and even additional “windows” for two-factor authentication needs.
What makes this attack so very dangerous is its’ potential. Think about anytime you use third-party authentication (such as Google, Facebook, Microsoft 365, or any cloud-based directory service) – this same technique could be used to trick users into providing business credentials.
The answer here isn’t to tell users “always double-check it’s a real window” – that’s not the issue; what is good advice (which is taught as part of continual Security Awareness Training) is to never engage with unsolicited messages (whether across email, social media, or in-platform messaging of any kind), as cybercriminals are always looking for new (and do I need to say innovative after you’ve read all this?) ways to fool you out of your credentials.