Steam account hacking is not something new in itself, but the methods are evolving and a very recent and ingenious method is on the rise. Take care!

Unfortunately, no one is safe from piracy and it even affects large companies like Valve, which have a hard time stemming new methods of online filibustery. This is how a new scam is taking place on Steam. A phishing method more precisely that seems very effective.

Pay attention to your Steam account

A collective of hackers working for the good of warning users against hacking has just brought to light a new kind of scam. This imitates invitations to tournaments, once opened users have their accounts hacked. This new technique, called Browser-In-The-Browser phishing, is particularly dangerous and pernicious. Because it doesn’t just look like a real URL, it’s actually a near-impossible-to-detect perfect copy. More specifically, it seems impossible to distinguish the fake link from the real one just by looking at the details of the page.

Steam users are targeted by a sophisticated hacking scam

Coordinated groups of hackers are targeting Steam users with a “browser-in-browser” scam that steals their login credentials.

Scammers begin the process by sending potential victims a message with a link to a phishing site, under the guise of inviting them to join their team in a gaming tournament or vote in a contest.

The phishing site is disguised as a legitimate esports site, and when victims browse the site, they are hit with a pop-up designed to look like a legitimate Steam authenticator. In reality, the pop-up is a fake window that is part of the site page – hence the scam called “browser-in-the-browser” hack.

Anyone who falls into the fake pop-up and enters their credentials will have sent their login details to the hackers, allowing them to hijack their Steam account.

The scam is used to steal Steam accounts, which can often include hundreds of game books and downloadable content (DLC). Cosmetic items for games including Dota 2 and Counter-Strike: Global Offensive can be worth thousands and can be sold privately or through the Steam Marketplace.

As it stands, the hack is quite sophisticated and only certain groups have access to the phishing kit used to carry it out. These hacking groups tend to offer the scam as a phishing service for pay, and at the moment this particular hack tends to be used in coordinated attacks.

To avoid being hacked, Steam users should avoid clicking on links sent by people they don’t know and trust. It’s also safe to never enter login information on or through a message-linked site.

In other gaming news, Fall Guys is going to space in season 2, with a host of planned crossovers revealed.

Steam accounts threatened by a new phishing technique

In a new wave of attacks, hackers are currently seizing a lot of Steam account access data in order to resell them later. Many details of a fake browser window on the phishing website ensure an authentic appearance. If you want to protect yourself, you have to be very careful about the link you click on.

Hackers steal Steam accounts to resell them

Hackers use an in-browser phishing technique to steal Steam accounts. By using fake browser windows inside another browser window, attackers create a sort of login popup.

A new wave of attacks has now emerged targeting the Steam accounts of professional gamers using this new method. The hackers aim to sell the captured login data afterwards. While a beginner’s Steam account only trades for a few tens of dollars, celebrity accounts are worth between $100,000 and $300,000.

Fake browser windows look authentic thanks to lots of details

According to the report, the hackers mainly use Discord or Telegram channels to distribute the phishing kit and coordinate their attacks. They invite their victims to tournaments of popular games like LoL, CS, Dota 2 or PUBG via direct messages on Steam.

To join the tournament, the site asks its visitors via a supposed pop-up to log in with the access data to their Steam account. However, it is a fake window that is rendered in the existing web page. To prevent the victim from detecting the fake, the page displays a legitimate URL in the address bar and gives a false sense of security by displaying a secure HTTPS connection. Even typical window actions such as minimize, maximize, move and close are possible.

Once the page also asks for the code of the 2FA and the login to the Steam account is successful, it redirects the user to a legitimate URL so that the victim does not become suspicious. But attackers have long since stolen access data.

Caution is and remains the best protection

For anyone who wants to protect themselves from such attacks and keep their Steam account, only the usual advice remains: only open links from trusted sources! And no, a strange Steam user who wants to invite you to a tournament is not such a source. Just like “123456” is not a secure password.

Steam: this new ultra dangerous hacking method is very difficult to spot

Due to its outsized popularity, Steam is regularly attacked by hackers. At least, this is the case for its many less fortunate users, who see themselves losing control of their account and, at the same time, of their toy library and means of payment.

Indeed, the latter uses the browser-in-browser technique, literally “browser in the browser”, which consists in creating a fake web page pretending to be a pop-up window. In this sense, it is very similar to a phishing attack, except that it is much more difficult to spot since it uses the legitimate URL of the site concerned.


Thus, in the case of Steam, hackers send messages directly to their victims on the platform, inviting them to join League of Legends or Counter-Strike teams. The link takes them to a web page resembling at first sight that of a structure organizing e-sport competitions. Of course, to register, you must log in to your Steam account.

This is where the browser-in-browser attack comes in. The login page is actually a fake window embedded in the phishing page. All you have to do is enter your identifiers and the double authentication code to hand over your account to hackers. To make matters worse, this fake page exists in 27 languages, thus being able to adapt to the location of the target.

Unlike its counterparts, this hack kit is not found on hacker forums or the dark web. Instead, it shares itself discreetly on Discord and Telegram servers so that attacks can be coordinated.

The BITB attack puts Steam and its players at risk with bait such as fake tournaments to steal credentials.


On this site, there are offers that invite players to participate in an activity that varies by title. In the case of League of Legends offers to join a team. In the PUBG to participate in a tournament.

Categorized in: