Beware the fake eSports tournaments surfacing on Steam
By Bob Garcia
A number of scams targeting the eSports community are appearing on Steam
It seems like getting a Steam message from someone trying to scam you with a Team Fortress 2 hat was a rite of passage for PC gamers a decade ago, but today’s phishing techniques are much more sophisticated. Cybersecurity firm Group-IB recently uncovered a campaign that uses a phishing-based technique called browser in the browser (BITB) to grab gamers’ attention on Steam with baits like tournaments and steal their credentials. The platform is calling on its users, including Americas Cardroom users, not to fall into this trap.
Infosecurity researcher mr.d0x describes the BITB attack as a threat that allows the cybercriminal to clone both the homepage of a website and the pop-up window that appears within it to ask for the user’s credentials and send them to the cybercriminal’s server.
Threats such as these have been on the rise in recent times thanks to platforms such as Steam using the pop-up window as a mechanism for their users to log in. In this way, they have a model to imitate in order to offer a replica that does not arouse suspicion. This particularity has made Steam the latest target of this phishing technique.
To lure their victims, cybercriminals send them a message with a link that redirects them to a cloned website that mimics the design of the platform’s pages. On this website, offers are included that invite player to participate in an activity that varies depending on the title.
For example, in the case of League of Legends, the offer is to join a team. In the case of PUBG, participating in a tournament. The website also offers the possibility of buying discounted tickets for eSports events or voting for the user’s favorite team in a given game or competition, among other options. Once entered, the credentials are sent to the cybercriminal’s server, rather than to Steam.