Fake FACEIT Verification Pages Use Browser-in-the-Browser Attack to Steal Steam Accounts
A phishing campaign targeting Steam accounts uses fake FACEIT verification pages with lookalike domains and a blurry QR code to trick gamers into handing over credentials.
A new phishing campaign is targeting Steam accounts by impersonating FACEIT, the popular competitive gaming platform for Counter-Strike 2 (CS2). The scam uses fake verification pages that closely mimic FACEIT's official branding, complete with working links to real blog and support pages. Victims are lured into clicking a 'Sign in through Steam' button that captures their credentials via a Browser-in-the-Browser attack, according to researchers at Malwarebytes.
The attack begins with a website that claims FACEIT is offering free, optional identity verification to build a more trusted community. The pages are hosted on lookalike domains such as faceit-discord.com, faceit-clubs-verify.com, and faceit-verification-clubs.com — addresses that are often only days or hours old. The scam is likely distributed through community forums, chat servers, social media posts, and direct messages, targeting gamers who are accustomed to linking accounts and following verification steps.
A key element of the scam is a deliberately blurry QR code on the verification page. Researchers believe the blur is intentional, making the QR code difficult to scan and nudging victims toward the 'Sign in through Steam' button instead. When users click that button, a fake Steam login window appears inside the page. This is a classic Browser-in-the-Browser attack: the window looks like a genuine browser pop-up with a steamcommunity.com address bar, but the address bar is part of the image. Any credentials entered — including Steam Guard codes — are sent directly to the attackers.
Stolen Steam accounts can be stripped of valuable CS2 skins and items, purchased games, wallet funds, and saved payment methods. Attackers may also use the account to scam friends or sell it on criminal marketplaces. In some cases, victims are tricked into 'protecting' their items by transferring them to a friend or backup account, which actually sends them to the scammers.
Malwarebytes advises gamers to always check the real address bar at the top of their browser, not the one inside a webpage. FACEIT's official domain is faceit.com, and any variation with extra words like 'verification' or 'discord' should be treated as suspicious. Users should also be wary of blurry QR codes, treat urgent messages about account problems as warning signs, and navigate directly to official websites rather than following links from messages or ads.
This campaign highlights the ongoing threat of credential phishing in the gaming community, where valuable digital assets make accounts a prime target. The use of Browser-in-the-Browser attacks and deliberately broken QR codes shows how attackers continue to refine their social engineering techniques to bypass user awareness.