bleepingcomputer.com/news/security/hackers-steal-steam-accounts-in-new-browser-in-the-browser-attacks/
It starts with a direct message invite on Steam -- if/when you respond you're shown a login screen, only it isn't what you think... it's actually a fake window created using JavaScript, and the info you type is captured & sent off to the hackers who now own your account.
How to spot a Browser-in-the-Browser attackIn all Browser-in-the-Browser phishing cases, the URL in the phishing window is the legitimate one, as the threat actors are free to display whatever they want since it's not a browser window but merely a render of one.
The same applies to the SSL certificate lock symbol, indicating an HTTPS connection, creating a false sense of security for the victims.
Even worse, the phishing kit allows users to drag the fake window around, minimize it, maximize it, and close it, making it very difficult to spot as a fake browser-in-the-browser window.
As the technique requires JavaScript, blocking JS scripts aggressively would prevent the fake login from being displayed. However, most people do not block scripts as it would break many popular websites.
The creator of the Browser-in-the-Browser toolkit, Mr.D0x, told BleepingComputer that the best method to check if a popup window is real is to try and move it past the original browser window.
"Always try to drag the popup window to the border of the browser. If it goes under the browsers borders then it's BiTB," explaines Mr.D0x.
Group-IB also shared the following ways to detect Browser-in-the-Browser attacks:
Check if a new window is opened in the taskbar, assuming you ungroup programs in the Windows 10 taskbar. If no new taskbar window exists, then this is not a real window. Unfortunately, Windows 11 does not support ungrouping at this time.
Try to resize the window. If you are unable to, it is likely a fake browser window.
Fake BiTB browser windows will close if you minimize them.In general, be very wary of direct messages received on Steam, Discord, or other game-related platforms, and avoid following links sent by users you do not know.