Infostealers: those digital pickpockets on the Internet

1

You open your mailbox one morning and discover suspicious connection alerts to your social networks, shopping sites and even your bank app. You start to panic, as you haven’t done anything unusual recently! Without realizing it, you’ve probably been infected by a spyware that has stolen all your passwords and sent them to cybercriminals. Discreet, fast and effective, this intruder has a name: the infostealer.

What is an infostealer?

The infostealer is the evolution of what we used to call spyware in the 2000s. In concrete terms, infostealer has espionage capabilities and stands out from other malware for its stealth: ransomware will quickly let you know that your data has been stolen and encrypted, whereas you’ll only carry out an infostealer infection when you detect suspicious activity on your Internet accounts.

If the infostealer is a particularly dangerous threat to businesses today, it’s because it plays on three major axes:

  • The increasingly blurred line between our professional and private lives,
  • The synchronization of our devices, linked to our hyper-connected lifestyle,
  • And finally, extremely broad targeting, which makes it possible to find the needle in the haystack.
11MILLION

The number of credentials from infostealers worldwide exchanged on the Dark Web every hour.

How does an infostealer work?

Spread

The main infection vectors for infostealers are as follows:

  • Downloading pirated software such as image editing (Adobe Photoshop, Adobe Illustrator), industrial design (Autocad, Solidworks), video games including cheating software (Roblox, Fortnite) and fake browser extensions.
  • Phishing e-mails with malicious links or attachments.
  • Fraudulent ads and websites.

In the first two cases, the victim plays an active role in the infection by running the malware under the guise of a legitimate application or file.

Social networking sites such as Youtube and Tiktok are full of deceptive videos promoting pirated software or rogue browser extensions.

Infection

The infostealer’s main target is the Internet browser: saved passwords are stolen, along with history, cookies and other saved form data – such as your address or telephone number.

Depending on how the infostealer is configured, it can also steal small documents, obviously targeting passwords saved in text files, or bank details.

You don’t save your passwords in your browser? Unfortunately, you’re not much safer, since a malicious actor can use the session cookie to log in for you, without even needing the password.

Last but not least, an inventory of the computer is also carried out: list of installed software (which helps attackers to locate professional devices more easily), keyboard language, screen size and, icing on the cake, a screenshot at the time of infection.

Above: Stolen data stored in a strict tree structure

Exfiltration

The data is extracted almost invisibly for the victim, thanks to the small size of the final document – once again, a far cry from a ransomware attack that exfiltrates thousands of files.

Depending on the group behind the attack, the data can be used directly or resold on cybercriminal platforms.

Finally, once the information has been stolen, the infostealer can update the data theft, to capture passwords that the victim may have changed in the meantime, or to automatically uninstall itself, making forensic analysis more difficult.

Why are infostealers so dangerous?

As defenses become more sophisticated, so does malware, and the infostealer is no exception. These are true software products sold by monthly subscription on specialized platforms and compete in terms of functionality to attract new customers.

Above: Advertising for Lumma and monthly rates, from $250 to $1,000 depending on features.

Most infostealers are advertised as being undetectable by antivirus software. However, in some cases, the infostealer asks the victim to disable their antivirus in order to proceed with the installation…

Above: The crack installation guide explicitly asks for antivirus deactivation… why whould it ask to do such a thing?

Finally, as mentioned above, infostealers exploit the porosity between our private and professional lives, which translates into the use of professional devices for personal purposes, and the use of our personal devices for professional purposes.

The latter case is the most difficult for companies to manage, since the device is outside their perimeter, and therefore outside their protection. This practice is known as shadow IT, and has sometimes been encouraged under the acronym BYOD, bring your own device, to promote user comfort with their own tools and devices.

55

Average number of passwords stored in a user’s browser

As a result, everyday Internet credentials (e-mail, streaming service, e-commerce) get mixed up with your corporate VPN access, business e-mail and third-party sites used for work purposes, to share files, respond to a call for tenders or access to the CRM tool.

Infostealer workflow
Above: Browser sessions, including on the work computer, are synchronized on a vulnerable device

Need to protect your employees from infostealers?

Don’t let cyber threats compromise your data and organization. Our experts help you identify vulnerabilities and strengthen your protection.

How to protect yourself against infostealers?

Best practices

  • Only download files from official sources
  • Use a secure password manager
  • Use anti-virus software and ad blockers on all your devices
  • Delete inactive accounts

Account security

  • Activate multifactor authentication wherever possible
  • Change your passwords regularly
  • If you share a computer with your family, make sure the antivirus has a master password to prevent it from being easily deactivated.
  • Log out of your accounts regularly to reset login cookies

Infostealers are wreaking havoc in companies around the world, and have been the initial gateway for many attacks ending in network encryption (ransomware).

The availability of this data, in ever-increasing numbers every day, enables non-technical threat actors to thwart the greatest barriers, by targeting employees in their personal lives. By targeting the user in his or her personal life, they bypass traditional defense systems and open the door to the most devastating attacks. It’s worth insisting here: by protecting people, you protect the organization.

Assess, detect, involve, remediate: ANOZR WAY solutions are at the heart of this strategy. They detect infostealers and inform users of the protective measures to be put in place. Make infostealer detection an integral part of your cyber strategy and protect your employees and your company without delay!

Written by David Sygula, CTI Expert