Competitive gamers are the target of a slick phishing campaign that hijacks Steam accounts by impersonating FACEIT, one of the largest platforms for Counter-Strike 2 ranked play, leagues, and tournaments. Researchers at Malwarebytes say the scam funnels victims through a fake "identity verification" page and a counterfeit Steam login window that is convincing enough to fool people who know to check a site's web address before typing a password.
The prize is a Steam account, which for an active player can be worth real money: a library of purchased games, valuable CS2 skins and inventory items, stored wallet funds and saved payment methods, plus years of friends and community reputation. Once attackers are in, they can drain items, scam the victim's friends, or sell the account on criminal marketplaces.
How the attack works
The lure is a website built to look like an official FACEIT page, complete with correct branding and working links to FACEIT's real blog and support pages. It is most likely spread through the channels gamers already use, including community forums, chat servers, social media, and direct messages — the same kind of social-media lures that power the SniperDz phishing-as-a-service operation. Instead of the genuine faceit.com address, the operators register lookalike domains such as faceit-discord[.]com, faceit-clubs-verify[.]com, and faceit-verification-clubs[.]com. Many are only hours or days old, so the fact that a browser has not flagged one yet does not mean it is safe.
The page claims FACEIT is offering optional verification to build a more trusted community, then warns that there is a problem with your CS2 account that you must resolve to prove you are not cheating. It presents a QR code that is deliberately blurred and hard to scan. Malwarebytes researchers believe that is intentional: after a few failed attempts, frustrated users give up on the code and click the easier "Sign in through Steam" button, which is exactly where the theft happens.
A login window that fakes its own address bar
Clicking the button opens what looks like a standard Steam pop-up, with the Steam logo, login fields, and a steamcommunity.com address bar. It is fake. Security researchers call this a Browser-in-the-Browser attack: the "window" is just an image drawn inside the malicious page, so the criminals can make its address bar display whatever they want. Anything typed into the form goes straight to them, and if the page also requests a Steam Guard two-factor code, that is captured too, handing the attackers full access. Real-time theft of two-factor codes is now a standard feature of phishing kits such as the Tycoon 2FA platform. Some victims are then talked into "protecting" their inventory by transferring items to a backup account, when they are really sending them to the thieves.
What you should do
Trust only the address bar at the very top of your browser, never one shown inside a page, and treat any login window that appears within another website as suspect. FACEIT's only legitimate site is faceit.com, so be wary of lookalikes. Treat urgent warnings about account problems or lost access as a red flag, and when in doubt open Steam or FACEIT yourself through the official app or by typing the address rather than following a link. If you already entered your details, change your Steam password immediately, confirm Steam Guard is enabled, sign out of all devices, remove any unfamiliar Steam API keys, and review recent trades and purchases.
You can read the original write-up from Malwarebytes Labs.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.