Is nothing sacred anymore? Hackers are targeting gamers, specifically players of first-person shooters, in a newly discovered campaign that uses a browser-in-browser attack to compromise Steam accounts that can then be sold on the black market. Depending on the number of games and, importantly, DLCs in that account, it can be a very profitable exercise with the most valuable being offered for as much as $30,000.
Counter-Strike 2 Gamers In The Hack Attack Crosshairs
The thoughts of most gamers will turn to cheating players when the word hack is mentioned, and with good reason considering the number of charts out there. Those hackers are a mere annoyance, malicious criminal hackers need to be taken way more seriously in the scheme of things. Whether it is COD and Fortnite players facing attacks from YouTube hackers, Nvidia GPU vulnerabilities that could open the door to threat actors, or even warnings concerning the increased use of the Windows 11 platform by the gaming community, the threats are constantly evolving. And so it is with this latest campaign that uses browser-in-browser tactics to target Counter-Strike 2 players.
Security researchers at Silent Push have uncovered a new threat campaign targeting Counter-Strike 2 players with a complex browser-in-browser attack tactic in order to compromise their Steam accounts. “These attacks involve fake but realistic-looking browser pop-up windows,” the researchers have warned, “that serve as convincing lures to get victims to log into their scams.”
The hackers have been found to be using brand impersonation, particularly that of the professional eSports team Navi. The campaign offers what appear to be free skins, with a pop-up window seemingly from the Counter-Strike 2 team that promises to help gamers “Play Like Navi.”
“In the attack,” Silent Push said, “the URL of the real site (in this case, Steam) is prominently displayed, leading someone to believe it’s a real pop-up window for logging in.” These browser-in-browser attacks create a fake window that displays a real site in order to develop a sense of trust, as well as offer gamers something for nothing. “Once the potential victim tries to log into the fake Steam portal,” the researchers continued, “the threat actor steals the credentials and likely attempts to take over the account for later resale.”
Play Puzzles & Games on Forbes
What First-Person Shooter Gamers Need To Do Now
I have reached out to Valve for a statement. In the meantime, Silent Push warned that the browser-in-browser attack used to target Counter-Strike 2 gamers was likely aimed at desktop users rather than mobile, as the pop-ups were developed to be most convincing at a larger resolution. “Fake pop-ups, such as the login windows in the BitB phishing scheme,” the researchers said by way of advice, “cannot be maximized, minimized, or moved outside the browser window even though victims can interact with the URL bar of the fake pop-up.” That’s one clue that all gamers need to be on the lookout for. If you see a window with a URL bar, always try and drag it outside of the browser. “This is the best way to easily confirm that the pop-up is real,” the Silent Push researchers concluded, “and therefore, the URL bar would correctly display the URL of the pop-up.”
