A new wave of malware is gaining traction in the form of infostealers, potent data-harvesting tools that have quickly become the go-to choice for threat actors due to their ability to quickly and effectively siphon sensitive information to sell on the dark web. Use of infostealers by groups specializing in ransomware surged by 266%, according to IBM’s X-Force Threat Intelligence Index.
Infostealer malware has become ransomware operators’ reconnaissance tool of choice for its ability to stealthily gather login credentials that provide unilateral access across networks, escalate privileges, and tailor attacks to inflict maximum damage before deploying a ransomware payload. IBM reports a 71% year-over-year increase in cyberattacks using stolen or compromised credentials. Further, with the share of cyber incidents involving data theft and leaks hitting 32% in 2024, indications are that cyber attackers are beginning to favor outright theft and sale of data over encryption and extortion.
Researchers from Spyware further report that 61% of breaches in 2023 were related to malware and were responsible for nearly 343.8 million stolen credentials. As many as one in five people were impacted, and each infection exposed, on average, 10 to 25 third-party business application credentials.
But it doesn’t stop with the immediate infection. One of the more insidious aspects of infostealers is their ability to set the stage for future attacks. Nearly one-third of companies that experienced a ransomware event in 2023 had at least one infostealer infection in the 16 weeks prior to being attacked.
A Primer on Infostealers
Infostealers are part of the emerging malware-as-a-service (MaaS) economy, in which coders develop and sell infostealer malware to cybercriminals. They are designed to infect systems or networks and extract sensitive data such as names, addresses, dates of birth, social security numbers, passwords and other credentials, credit card numbers, bank information—anything that has value on the dark web or black market, or that can be used to extort victims by demanding ransom in return for not releasing the information publicly.
Some infostealers delete themselves immediately after stealing an initial trove of data. Others are programmed to remain on the infected computer, continuously scouring for new data to steal.
Considered a form of social engineering, infostealer attacks utilize deceptive tactics to trick users into downloading and running the malware. One of the most prominent and costly forms is phishing, in which email or text messaging is used to trick employees or guests into clicking on links to download malicious software. Driven by the growing popularly of generative AI, phishing attacks have surged by 1,265%, with HTML attachments making up half of the file types used for email-based phishing attacks.
Other common avenues of infostealer malware deployment are fake password or account recovery software, password crackers, and software updates. Also popular are “drive-by” attacks, which are launched when the victim visits an infected website that has been promoted most often via “malvertising,” deceptive software downloads, and on gaming sites.
Thanks to the increasing sophistication of AI, one of the increasingly popular avenues is vishing, which are phone calls or voicemails that mimic known people or organizations to trick people into sharing sensitive information. Other common tactics are:
- Clipboard Hijacking: Monitoring and modifying the content of a computer’s clipboard.
- Cookie Hijacking or Sidejacking: Taking over an internet session to steal cookies and session tokens.
- Credential Dumping: Extracting account credentials and other stored data.
- Email Harvesting: Searching emails and stored files to collect email addresses and other contact information.
- Form Grabbing: Intercepting data submitted via web forms before it can be encrypted.
- Keylogging: Capturing every keystroke made by a user on their computer.
- Man-in-the-Browser Attacks: Injecting malicious code or a Trojan Horse into a web browser to manipulate information as it’s entered.
- Screen Capture and Recording: Taking screenshots of the victim’s screen at key moments.
Once installed, infostealers leverage a variety of tactics to capture credentials and sensitive information, potentially wreaking havoc on the compromised guests’ finances and leading to significant financial and reputational damage to the affected business. These stolen credentials can also be used to gain access to connected systems, such as payment portals.
For example, the May 2024 Ticketmaster security breach that impacted more than 40 million users was traced back to infostealer malware that gained access to the network via its customer service portal after hacking into an employee’s account via the company’s cloud storage service provider. Infostealer malware was also used to access Booking.com accounts, which they then used to launch sophisticated phishing campaigns featuring convincing messages about canceled reservations or payment verification needs. Victims were sent to a spoof of the Booking.com website, where they entered personal information and credit card details to salvage their “canceled” reservations.
Fending Off Infostealers
When it comes to protecting against infostealers, it’s not enough to have antivirus, multifactor authentication (MFA) or endpoint detection and response (EDR) solutions. In fact, according to Spyware, for the first six months of 2024, at least 54% of devices infected with infostealer malware had an antivirus or EDR solution installed at the time of successful malware infection.
Companies aren’t defenseless, however. There are several actions organizations can implement immediately to cut the risk of falling victim to infostealers, beginning with deploying firewalls and anti-malware software from reputable vendors to continuously monitor for and block malicious activity. These systems should be updated frequently to ensure they are watching for the latest threats.
In terms of credentials, strong passwords that are changed regularly and the use of MFA can make it more difficult for malware to steal credentials if they do make it inside. Limiting the use of third-party apps on the network can add an additional layer of protection.
Because infostealers rely on human error, training to increase staff awareness is a crucial aspect of cybersecurity best practices. At a minimum, staff should be trained on the importance of logging out of devices, using and updating strong passwords, keeping credentials private, and how to spot and report potential phishing and other infostealer techniques. Other areas of training focus include:
- Avoidance. This includes avoiding the use of search engines to locate login pages and instead bookmarking legitimate URLs.
- Awareness. Train staff to spot subtle changes to URLs, which is a common tactic used by hackers to send users to spoofed sites, and to be wary of clicking on online ads, which can lead them to malicious and spoofed web pages where malware is lurking.
- Vigilance. For inbound email, train staff to be vigilant and verify the sender’s email address before clicking on links, attachments, or hyperlinked content.
Beyond the basics, take additional steps to eliminate vulnerabilities by identifying and closing security gaps and strengthening areas of weakness. Conduct regular risk assessments by evaluating the cyberthreat landscape and the organization’s security practices to ensure they are aligned. This will ideally include a supply chain risk assessment to ensure their suppliers—and their suppliers’ suppliers—have suitable protections in place to avoid falling victim to a third-party infostealer attack.
Using a cybersecurity framework, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), can help develop strong systems to protect against infostealers and other cyberattacks.
Limiting the amount of and access to sensitive data, investing in threat intelligence and end-to-end encryption of point-of-sale systems, and monitoring outbound email activity for unauthorized utilization (which can signal an active phishing attack) are all recommended steps organizations can take to mitigate their risk and protect their business, employees, partners, and guests from falling victim to infostealers.
Finally, consider partnering with an IT management firm that provides cybersecurity services to maintain software and devices. Look for a provider with specific industry and cybersecurity experience that offers, at minimum, proactive monitoring, regular security assessments, and staff training, and that has a deep understanding of compliance requirements. During the evaluation process, be sure to ask prospects about their response times and disaster recovery capabilities and obtain—and check—references.
The Best Defense
The reality is that no business is safe from infostealer attacks, and the threat increases as MaaS providers grow increasingly more stealth and sophisticated. By hardening technology and software, raising staff awareness, and establishing robust security protocols, the risks and fall-out can be minimized and the company will be able to continue providing quality services with minimal disruptions.
Erik Eisen is CEO ofCTI Technical Services, a leading provider of IT support and cybersecurity services with a diverse clientele that includes hospitality, legal, manufacturing, dental specialties, small medical practices, and other industries.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.