Beware of Infostealers

Infostealers are a category of malware designed to steal sensitive information from infected devices. These malicious programs infiltrate users’ computers, often through downloads of pirated software or phishing emails, and collect a wide range of data, including usernames, passwords, cookies, browsing history, and financial information.

Unlike other types of malware that may have specific targets, infostealers act opportunistically, gathering any available data from the web browsers of infected users.

The stolen information is then organized and sold on dark web markets or used directly for cyber attacks, such as corporate compromises or ransomware attacks. The rise of remote work and the increased integration between personal and corporate devices have made it easier for these malware to access sensitive corporate data.

A growing wave of attacks

In recent months, cybercriminals have advertised the sale of hundreds of millions of customer records from major companies like Ticketmaster, Santander Bank, and AT&T. Although large data breaches have been a common occurrence for over a decade, these recent incidents are significant because they are all connected. Each victim company was a customer of the cloud data storage company Snowflake and was compromised not through a sophisticated hack, but because attackers had access credentials for each company’s Snowflake accounts, affecting at least 165 Snowflake customers. The attackers did not obtain this massive trove of credentials by directly breaching Snowflake or through a targeted supply chain attack; instead, they found the credentials in a disorganized collection of stolen data randomly obtained by infostealer malware.

After years of operations, infostealers are experiencing a surge. The malware, which often infiltrates computers through downloads of pirated software, can steal usernames and passwords, cookies, browsing history, financial information, and more from web browsers. This data collected by infostealers is increasingly being used by all kinds of hackers to compromise companies, and cybersecurity experts warn of more high-profile data breaches to come. What distinguishes infostealers from spyware or other malware used in espionage or targeted data breaches is that infostealers spread opportunistically and indiscriminately. They steal data from the browsers of the computers they infect, and then the attackers who operate them gather and organize this chaotic and largely random collection of data, often on a marketplace or in a public forum like a Telegram channel. It is only then that infostealer operators or their customers sift through their haul to find valuable credentials and access tokens amid the massive amount of junk.

The stolen data

Some access tokens have obvious value to many types of cybercriminals. If a data dump included working login credentials for an employee’s enterprise accounts, a ransomware gang, business email compromise scammer, or state-backed actor could use the access as a starting point to launch their attacks. But in addition to selling these prized details, infostealer operators maximize the value of the data they collect simply by making their stolen data available. Platforms like Genesis Market, which was taken down by law enforcement last year, and Russian Market, organize infostealer logs and even make them somewhat searchable, so hackers looking to target more niche organizations or those without financial motives can potentially find exactly what they need. These platforms take cues in how they are designed and marketed from legitimate information and e-commerce services. Many markets and forums charge a subscription fee to access the platform and then have different pricing structures for data depending on how valuable it might be. Currently, Russian Market has so much stolen data available from infostealers that it has been charging a low flat rate, typically no more than $10, for any subset of data users want to download.

Pay attention if you work from home

Infostealers have been particularly effective with the rise of remote and hybrid work, as companies allow employees to access work services from personal devices and personal accounts from work devices. This creates opportunities for infostealers to randomly compromise individuals on their home computers but still end up with corporate access credentials because the targeted person was logged into some of their work systems. It also makes it easier for infostealing malware to bypass corporate protections, even on enterprise devices, if employees have their personal email or social media accounts open. On various cybercrime marketplaces and Telegram, more than 7,000 compromised credentials linked to Snowflake accounts have been shared. In one case, a criminal advertised access to 41 companies in the education sector; another cybercriminal claims to be selling access to U.S. companies with revenues between $50 million and $8 billion.

The use of infostealers has been so effective that it is almost inevitable that cybercriminals will seek to replicate the success of compromises like Snowflake’s and get creative with other enterprise software services that they can use as entry points to access a range of different customer companies.