I haven’t seen this kind of a phishing attempt before, so I thought I’d share it here.
This started as a classic phishing attack, a Steam (gaming platform) friend asks if I can vote for his team. In order to vote, I have to use Steam oauth to login, which is a common thing among legit websites.
What surprised me was the quality of trick. When you click “Sign in via Steam”, a virtual popup window opens inside the original tab. It’s not a real window, it’s just a CSS trickery to create a layer above the current website, pretending to be a new window, which you can check by minimizing it. What this does is makes you think that you’re using the correct steam URL and that it’s safe to enter your credentials because you see the valve corporation name and the lock icon, which are all UI elements of the website.
Even worse, if you have a 2fa enabled, it will ask you for a 2fa code received on your phone, and if you give it to them, it will actually migrate your Steam authenticator app to the attacker’s device, completely locking you out from your account.
Steam isn’t commonly used, but what if this kind of attack was used on google / face oauth, I can see this tricking a lot of people into giving their credentials.
I wanted to put a picture, but this subreddit does not allow pics.
Do NOT open this link unless you know what you are doing. DO NOT ENTER YOUR USERNAME AND PASSWORD, THEY WILL BE STOLEN: >![https://epuncharena.com/dota/2/tournament](https://epuncharena.com/dota/2/tournament)!<