Update, March 28, 2025: This story, originally published March 27, has been updated with more information regarding the market in stolen Counter-Strike 2 skins, which gamers have played or paid so much for.
Is nothing sacred anymore? Hackers are targeting gamers, specifically players of first-person shooters, in a newly discovered campaign that uses a browser-in-browser attack to compromise Steam accounts that can then be sold on the black market. Depending on the number of games and, importantly, DLCs in that account, it can be a very profitable exercise with the most valuable being offered for as much as $1 million. Yes, you read that right.
Counter-Strike 2 Gamers In The Hack Attack Crosshairs
The thoughts of most gamers will turn to cheating players when the word hack is mentioned, and with good reason considering the number of charts out there. Those hackers are a mere annoyance, malicious criminal hackers need to be taken way more seriously in the scheme of things. Whether it is COD and Fortnite players facing attacks from YouTube hackers, Nvidia GPU vulnerabilities that could open the door to threat actors, or even warnings concerning the increased use of the Windows 11 platform by the gaming community, the threats are constantly evolving. And so it is with this latest campaign that uses browser-in-browser tactics to target Counter-Strike 2 players.
Security researchers at Silent Push have uncovered a new threat campaign targeting Counter-Strike 2 players with a complex browser-in-browser attack tactic in order to compromise their Steam accounts. “These attacks involve fake but realistic-looking browser pop-up windows,” the researchers have warned, “that serve as convincing lures to get victims to log into their scams.”
Play Puzzles & Games on Forbes
The hackers have been found to be using brand impersonation, particularly that of the professional eSports team Navi. The campaign offers what appear to be free skins, with a pop-up window seemingly from the Counter-Strike 2 team that promises to help gamers “Play Like Navi.”
“In the attack,” Silent Push said, “the URL of the real site (in this case, Steam) is prominently displayed, leading someone to believe it’s a real pop-up window for logging in.” These browser-in-browser attacks create a fake window that displays a real site in order to develop a sense of trust, as well as offer gamers something for nothing. “Once the potential victim tries to log into the fake Steam portal,” the researchers continued, “the threat actor steals the credentials and likely attempts to take over the account for later resale.”
Gamers Stand To Lose Everything They Have Played And Paid For
Although it may well come as a surprise to non-gamers, the market for skins in certain games is through the roof. Be that by way of a uniform or a gun; cosmetics mean everything when it comes to showing your status online. One of the strongest markets for such skins is within the CS:Go and Counter-Strike 2 community where, as already mentioned, the record price has already hit $1 million it would appear. That number really doesn’t shock me, truth be told, as I was reporting on the $1 million yearly economy stolen account sales regarding Fortnite, with the value of skins being the driving force, back in 2020.
A quick Google search will reveal the extent of the marketplace for trading Counter-Strike 2 skins. Although it should not be assumed that the search hits returned will just point to sites trading in stolen items as much, while far from being all, of that dark trade takes place in the less illuminated parts of the internet such as on dark web forums.
In order to steal those skins, however, hackers need to be able to access your game accounts. This is where this latest warning about password attacks against Steam gamers comes into play. Once they have access to your account, your skins can quickly be sold to interested buyers. I spoke to one hardcore gamer who told me that Counter-Strike skins are so sought after that even some gambling sites will now exchange them for cash or cryptocurrency.
To give you an idea of just how much these items can be worth, I visited a trading site and browsed among the Counter-Strike skins. Those labeled as remarkable strikers were attracting the highest prices, with a Titan (Holo) on sale for $78,000. Then Gungnir covert sniper rifle seems like a bargain, relatively speaking, at just $12,867. A rare contraband rifle, M4A4 Howl, was being sold for as much as $13,000, while a pair of Vice sports gloves could be snapped up for anywhere between $550 and $15,000, apparently.
What First-Person Shooter Gamers Need To Do Now
I have reached out to Valve for a statement. In the meantime, Silent Push warned that the browser-in-browser attack used to target Counter-Strike 2 gamers was likely aimed at desktop users rather than mobile, as the pop-ups were developed to be most convincing at a larger resolution. “Fake pop-ups, such as the login windows in the BitB phishing scheme,” the researchers said by way of advice, “cannot be maximized, minimized, or moved outside the browser window even though victims can interact with the URL bar of the fake pop-up.” That’s one clue that all gamers need to be on the lookout for. If you see a window with a URL bar, always try and drag it outside of the browser. “This is the best way to easily confirm that the pop-up is real,” the Silent Push researchers concluded, “and therefore, the URL bar would correctly display the URL of the pop-up.”
