What are Infostealers?
An infostealer (information stealer or just stealer) is a type of malware, usually a Trojan that (like its namesake) is able to sneak in and wreak havoc because it isn’t seen as a threat. Its purpose is to collect information from the infected computer. Such information can be but is not limited to:
- Passwords saved in all browsers
- Cookies and history
- Credit card information
- Global information about the computer (OS, hardware, installed software…)
- Software credentials (your personal logins to your bank, insurance, and even corporate logins like Microsoft Outlook or Salesforce)
All the information collected by the infostealer is then packaged into an archive, which is called a log.
The log (basically a copy of a user’s most precious information) enables a malicious actor to easily take over full control of the victim’s online identity. The passwords can give access to the victim’s accounts on any platform: email, gaming, online shopping, social network, entertainment, corporate, etc. In addition, the cookie values can be directly injected in a browser in order to connect on behalf of the victim, without even entering a password.
While they have been around for a while, infostealers have been gaining popularity since 2019, with more instances of the malware being available on the different forums.
Types of Infostealers
Infostealers target a wide variety of information; the list below is just a sample of what cybercriminals are after:
- Browser saved information: password, credit card, auto-complete
- Files: search and exfiltrate sensitive files based on extensions or path
- Data streams: from FTP/Steam/instant messaging clients (Telegram, Discord)
- Cryptocurrencies wallets
They might also include advanced features like:
- Clipper (replaces copied crypto address with an attacker-controlled one in clipboard)
- Anti-VM (virtual machine) capabilities to evade detection
Distribution of Infostealers
In the real world, thieves will go around or even through the barriers in their way (walls, doors, locks) to get to what they want. In the digital world, infostealers have to be let in—but they are very, very good at finding ways to trick unsuspecting users into opening the door. Like most Trojans, infostealers are distributed via traditional channels:
- Cracked software and games
- Fake password crackers
- Fake account recovering software
- Ads for cleaner software
- Phishing emails
Economics of Infostealers
Creating infostealer malware requires knowledge and skill; obtaining and using it does not. The malware ecosystem is moving towards Malware as a Service (MaaS) and infostealers are no exception.
The prices are roughly the same between the different strains of stealers. They usually range between $100-200 a month or $1,000 for a lifetime subscription. Stealers are primarily sold via forums and instant messaging.
Most of the malicious actors infecting computers at scale with their infostealers do not use the logs themselves; instead they sell it via forums or via specialized sites like Russian Market or Genesis Market. The logs are usually sold for as low as $1 to $150. Logs are a commodity for cybercriminals and anyone can buy them cheaply—that’s one of the reasons they are so dangerous.
Why are Infostealers Dangerous?
While the majority of the infected computers are personal computers, because the distribution channels are usually related to leisure activities (gaming) or illegal ones (cracking accounts), it should be noted that certain actors focus specifically on infecting corporate devices, usually via phishing campaigns. The ever-growing trend of “bring your own device” in corporate settings and the blurring of lines of using professional devices for personal activities, as well as the tendency for people to reuse passwords can quickly lead to corporate accounts being compromised.
Infostealers are inexpensive and easily obtained, and can be easily deployed by anyone, since they do not require a high level of technical skill or knowledge. This alone makes them far more dangerous than other attacks because they are widespread. In fact, the Verizon 2022 Data Breach Incident Report found a 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the past four years.
How to Guard Against Infostealers
On the one hand, infostealers are at a disadvantage because they require someone to take an action that gives them access. On the other hand, infostealers are so prevalent and so good at what they do that tripping someone up is often just a matter of time.
Awareness and diligence will always be the best defense against infostealers. Ensure employees understand the threat that infostealers pose and train them to be on the lookout for suspicious sites, forms, email messages and links.
But if the worst should happen and credentials are stolen, know that you still have options. CybelAngel’s Account Takeover Prevention solution can break the link between theft and profit. Learn more here.
CybelAngel’s proactive measures enable an organization to identify a threat before it can move across networks or devices. To quickly learn if you have exposures that are putting you at risk, request a complimentary External Exposure Scan: