New BiTB Phishing Attacks Steal Steam Accounts

What’s happening?

• The phishing kit isn't easily procurable on hacking forums or the dark web. Instead, hackers use Discord or Telegram channels to gain easy access to the new phishing kit.
• Threat actors intend to sell access to these hacked accounts, starting from $100,000 to $300,000.

The attack campaign

• To participate in the competition, the guests are requested to log in via their Steam account. However, the user is unaware that the new login page window is a fake window developed by the hackers to carry out the phishing attack.
• Once user credentials are entered, a novel form prompts the participant to insert the 2FA code. In case the entered code is incorrect, an error message is exhibited.
• However, in case of successful authentication, the user lands on a URL set by the C2 to reduce the likelihood of the victim discovering the intrusion. 
• Having taken over victims' accounts, the threat actors change their passwords and email addresses to make it harder for them to reclaim control.

Red flags

• The user should look for the fake address bar at the top of the pop-up window. 
• To fool the users, the phishing kit allows them to interact with the fake window features, making it difficult to spot the difference between the original window and the fake BiTB window. 
• Online users should be wary of any direct messages received on Steam, or other platforms, and avoid clicking on links sent by unknown sources.