Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    “Browser-in-the-Browser” Phishing Technique Spotted in New Steam Account Attack

    Stu Sjouwerman | Sep 23, 2022

    Phishing TechniqueLuring victims using a realistic- and legitimate-looking fake browser window to steal Steam accounts, this new type of social engineering may be a sign of things to come.

    I’ve long written about impersonated brands, fake websites, and spoofed logon pages in countless phishing scams and attacks. But this one separates itself a degree of sophistication higher than anything you’ve seen thus far, potentially resetting the bar for future social engineering attacks.

    According to security researchers at GroupIB, the new technique – dubbed “Browser-in-the-Browser” – pops up looking like a new window used for authentication; only it’s actually part of the initial malicious site. In the example below, users of the gaming platform Steam are messaged with appealing Steam-related offers (such as participating in a tournament) that would likely require authenticating to Steam. Once on the page with the supposed offer, a new window appears to pop-up asking the user to authenticate.

    image25

    Source: GroupIB

    Look at the details in the screenshot – what looks like a valid URL is place in the “window” along with a green lock, indicating a proper SSL cert. If you didn’t know better (and now you do), you’d think it was legitimate. What’s actually happening is there is no new window; it’s just a very impressively-designed in-site page that collects credentials and even additional “windows” for two-factor authentication needs.

    What makes this attack so very dangerous is its’ potential. Think about anytime you use third-party authentication (such as Google, Facebook, Microsoft 365, or any cloud-based directory service) – this same technique could be used to trick users into providing business credentials.

    The answer here isn’t to tell users “always double-check it’s a real window” – that’s not the issue; what is good advice (which is taught as part of continual Security Awareness Training) is to never engage with unsolicited messages (whether across email, social media, or in-platform messaging of any kind), as cybercriminals are always looking for new (and do I need to say innovative after you’ve read all this?) ways to fool you out of your credentials.

    Topics: Social Engineering

    See KnowBe4 Security Awareness Training in Action

    See how you can efficiently safeguard your organization from sophisticated social engineering threats.

    Request a Demo

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe the KnowBe4 Blog

    Posts By Topic

    View All