Infostealers are notably difficult to prevent because they exploit the weakest link in cybersecurity— human behavior. Instead of relying on complex multi-step attacks to compromise a system, infostealers convince the user to invite them in the front door. The bad news is that infostealer malware is increasing with massive momentum. Here’s what’s happening, and how you can stymie the flow of attacks to keep sensitive data protected from data breaches.
In recent times, the world of cybersecurity has been battling a significant surge in a type of malicious software known as “infostealers.” These threats are on the rise with incidents more than doubling in the first quarter of 2023 compared to the same period last year. The danger lies in their ability to compromise personal information and evade conventional cybersecurity defenses like Endpoint Detection and Response (EDR) and anti-malware solutions. Infostealers can bypass Multi-Factor Authentication (MFA) controls and can even appear as legitimate authentication or phishing attacks due to their access to sensitive information. Fortunately, proactive measures can help defend against this growing threat, and one such solution is offered by Enzoic, providing real-time alerts for compromised data. As with any cybersecurity threat, a proactive, layered posture is the best defense against cyber attacks.
The Rise of Infostealers:
Infostealers are a type of information-stealing malware, designed to steal data from infected devices. Unlike ransomware which holds information hostage and demands a ransom, infostealers work silently, extracting data and then selling or publishing it on the Dark Web. These infostealers operate under a malware-as-a-service (MaaS) model, which allows attackers to extract data from compromised devices with exposed login credentials and then monetize this stolen information. Attackers might lease an infostealer from the Dark Web and then trick users into downloading and installing it by posing as legitimate software or free applications. The infostealer then infiltrates user devices and stealthily collects data from web browsers, email, social media accounts, cookies, crypto wallets, and gaming apps.
Infostealers focus on collecting a wide range of personally identifiable information (PII), including usernames, passwords, dates of birth, addresses, emails, credit card information, phone numbers, cookies, and more. The volume of stolen credentials for sale on the Dark Web from infostealers has grown significantly in recent years, highlighting the scale of the problem.
Attack Methods:
The delivery of infostealers often relies on social engineering tactics. Threat actors use various methods to entice users into downloading and running their malicious programs, including masquerading as free video games or anti-virus software, sending phishing emails with malicious attachments, or developing fake websites that mimic trusted organizations. Once the user falls for these tricks and runs the program, the infostealer copies data from system folders containing sensitive information. This data is then exfiltrated to remote servers and packaged into easily readable “logs” that can be sold to other threat actors or used to further compromise victims’ computers. While the primary targets are often personal computers, the vast amount of highly sensitive information at stake poses significant risks to organizations through customers and employees.
One example of infostealers using phishing emails is called the RedLine Stealer. This popular information-stealing software uses seemingly harmless attachments to run processes on a cyber victim’s computer and pull information to a remote server that is under control of the attacker.
The Shift to Targeting Enterprises:
Threat actors are increasingly targeting organizations, seeking to obtain proprietary information, customer databases, financial records, intellectual property, and trade secrets to sell on the Dark Web. The stolen credentials and data enable attackers to hijack sessions, bypass MFA, and gain unauthorized access to critical business information. The data is often sent to cybercriminals via third-party channels to preserve anonymity.
Infostealers primarily target autofills and password managers within web browsers. They can also steal files from device folders and cookies from other services like VPNs, Discord, or Telegram. In the US, 45 million people rely on browser-based password managers to protect their credentials online. The prevalence of password reuse exacerbates the problem, as exposed credentials can fuel credential stuffing and password-spraying attacks on other accounts and organizations. Furthermore, attackers can bypass MFA by using stolen cookies from victims’ browsers. This combination of factors means infostealers pose significant risks to organizations.
In fact, this year’s Blackberry Global Threat Intelligence Report lists infostealers as the most prominent threat to manufacturing, the most common risk faced by government agencies, and one of the top healthcare cyber concerns. The growth has been fueled both by the ease of use of MaaS, and extremely high value of the exposed information (e.g. plaintext credentials, credit card information, ID numbers, etc.). Kaspersky found that almost a quarter (24%) of malware sold as a service is now infostealers. The lowering of the barriers to entry enables threat actors with limited technical knowledge or capital to easily deploy the software to access networks.
Plan to Be Proactive About Infostealer Attacks:
A cybersecurity team may limit breaches by developing and enacting an incident response (IR) plan. An IR plan will make sure your team is prepared for attacks, has established detection methods in place, has defined protocol for containment for various scenarios, and can quickly recover from a data breach. Without clear-cut courses of action for each step of the incident response plan, notifications may come too late; resulting in a logistical, or even PR nightmare.
Preventing Infostealer Attacks:
Infostealer attacks are challenging to prevent because they exploit human behavior, relying on social engineering tactics to convince users to download and install the malicious software. This makes mitigation of malicious activity difficult, but not impossible. To mitigate this risk, organizations must proactively monitor and screen for compromised credentials and promote password best practices among their users. Since an organization cannot control what password individuals use for personal accounts on their devices, it is extremely important that they proactively monitor and screen for credential compromise to mitigate the vulnerability of password reuse. Spreading a culture of security awareness will make it well-known across your organization that cyber threats are real and have real consequences is one way to lessen the likelihood of malicious activity. Taking this a step further, installing and configuring advanced endpoint security products tightens vulnerable paths from being compromised.
Infostealers are on the rise, posing significant risks to individuals and organizations. Preventing infostealer attacks requires a proactive approach, including EDR, anti-malware, MFA, and continuous monitoring for compromised credentials. The threat landscape continues to evolve, making it crucial for organizations to stay vigilant and implement robust cybersecurity defenses.