Hackers are preying on Counter-Strike 2 players by using fake but convincing Steam login pages that trick unsuspecting gamers into entering their account IDs and passwords.
The hackers circulated the attack on websites that pretend to represent the esports team Navi, according to cybersecurity vendor Silent Push. The fake pages contain the slogan “play like Navi,” while offering visitors a “free case” or weapons skin they can use in the game. To receive the reward, the phishing page requires the user to log in to Steam.
(Credit: Silent Push)
That’s when the site displays a pop-up page that looks like the Steam login portal; it even includes the official “steamcommunity.com” domain in the web address. But the pop-up is merely a dummy window inside the phishing page, as Silent Push’s video shows.
The fake pop-up to the Steam login “cannot be maximized, minimized, or moved outside the browser window even though victims can ‘interact’ with the URL bar of the fake pop-up,” the cybersecurity vendor says.
“The campaign’s goal is to make a visitor feel safe, believing the pop-up windows are part of the actual [real] sites. Once the potential victim tries to log into the fake Steam portal, the threat actor steals the credentials and likely attempts to take over the account for later resale,” the company adds.
The tactic is an example of a “browser-in-the-browser” attack, which uses fake pop-ups on a malicious web page to simulate login portals for official domains. Silent Push adds that the attack can be particularly effective for desktop users since the “pop-ups are built to be viewed on larger resolutions.”
Recommended by Our Editors
“All the [fake Navi] websites we found were in English, with the exception of one Chinese site, which was in Mandarin with some English words,” Silent Push adds. The fake sites were hosted on domains including caserevs[.]com, caseneiv[.]com and casenaps[.]com. But it doesn’t look like the hackers took the time to create fake pop-ups for mobile phone viewing.
“Our team encourages people to look for fake URL bars in any login pop-ups,” Silent Push says. “If you see a URL bar, always try to drag that window outside the browser you’re viewing. This is the best way to easily confirm that the pop-up is real.”
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Michael Kan
Senior Reporter
