What are infostealers?
Infostealers are a type of malware designed to infiltrate computer systems to steal information. They exfiltrate various data, including login credentials, session cookies, financial info, and personally identifiable information, sending it to a remote server controlled by cybercriminals.
Why are infostealers so bad?
SpyCloud recaptured 721 million credentials from the criminal underground in 2022, 48.5% of which were exfiltrated from infostealer malware-infected devices. This data can be used for various criminal activities by threat actors, including account takeover, identity theft and financial, and used to gain unauthorized access to systems and networks, leading to a data breach or ransomware. Another challenge with infostealers is their dissolvable nature; they often execute and can remove themselves within seconds, leaving no trace of an attack and no forensic artifacts on the victim’s device to inform defenders on the type of attack encountered.
What information is collected by infostealers?
Infostealer malware can collect any information from an infected device and its browser, such as:
- Login credentials: Usernames, passwords, and other authentication details like session cookies for various online accounts. We’re now starting to see infostealers exfiltrate 2FA tokens and passkeys.
- Financial information: Credit card numbers, bank account details, and other financial data stored in the browser.
- Identity data: Social security numbers, addresses, phone numbers, and other forms of PII.
How do infostealers infect victims?
Infostealers spread like most other malware: through social engineering attacks, email, SEO poisoning, malicious links, botnets, etc.
SpyCloud researchers have observed the following attack vectors commonly used to spread infostealer malware:
- Malicious ads posted on popular sites
- Placing malicious links in YouTube descriptions
- Downloading game mods infected with malware
How are credential stuffing and infostealers related?
Credential stuffing is an automated attack that uses a combolist containing previously breached credentials for websites and applications. While combolists are typically usernames and passwords exposed in data breaches, some combolists now contain data from stealer logs (from infostealer malware). Infostealers extract a variety of valid authentication information from infected machines, including usernames, email addresses, passwords, browser cookies, and autofill data – in-use data that is fresher than older data breaches. This shift will make credential stuffing attempts more successful as long as the infostealer-exfiltrated data is not properly remediated.
How to detect and respond to infostealers
Traditional security measures, while helpful, are not enough to effectively detect and respond to infostealers. SpyCloud found that in the first half of 2023, 20% of all recaptured infostealer malware logs indicated there was an antivirus program installed at the time of successful malware execution. Visibility into data exfiltrated from infected devices is crucial; knowing what criminals have in hand from an affected device, including stolen credentials for critical workforce applications, is necessary to stop follow-on attacks. Especially in the cases of dissolvable malware, the only thing that can enable proper Post-Infection Remediation is the exact data that’s been stolen.
How SpyCloud helps prevent infostealer infections from becoming a bigger problem
Organizations should keep their first lines of malware defense current to combat threats as they emerge – but also be aware that there are additional post-infection remediation steps needed to account for exposures you may not even know you have. SpyCloud’s advanced malware protection capabilities help organizations remediate exposures from exfiltrated data including login credentials and authentication cookies/tokens that can easily open the door for account takeover and even ransomware. Today more than ever, it’s important to have a complete infostealer malware incident response plan.