What should we all know about infostealers? Let’s ask our threat research experts.
What are infostealers?
Infostealers are a kind of malware-as-a-service (MaaS) that exfiltrate data from infected computers to a central server, which is then sold and published as “logs”- comprehensive profiles of the data from each compromised computer. The stolen data comes primarily from the ‘autofill’ and password managers in the user’s web browsers, but stealers also grab files from the Desktop and Documents folders, browser cookies, cryptocurrency wallets, and information from other services like VPNs, Discord, or Telegram if they are installed on the system.
What types of personal information do they steal?
The short answer is that it depends on what a user has saved in their browser autofills, so pretty much anything. We typically see names, phone numbers, addresses, credit card numbers, dates of birth, IP addresses, Social Security numbers, plaintext credentials for any accounts stored in the password manager, and anything else the user has stored in the browser. Other data might be harvested too, if it is on the Desktop or in the Documents folders.
What is the data used for?
The threat actors that run the malware services sell the collected data on cybercrime platforms. Credit card numbers are often packaged and sold for “carding”, where criminals use the numbers to purchase goods or services, often reselling items for cash. Personal information like DOB, SSN, address, etc, are used to perpetrate fraud by applying for credit cards or loans in the victim’s name- threat actors then pocket the cash and leave the loan/card unpaid. This information can also be used in phishing or social engineering campaigns (like scam calls) to make the message more believable.
As for credentials, they can be used directly for account takeover (ATO), as they are in plaintext and also easily associated with their respective websites/services, as the password managers typically log the URL where the credentials are used. Thanks to perennially high levels of password reuse, they can also be used for credential stuffing and password spraying to compromise other sites or organizations that the victim may be affiliated with.
Are infostealers a type of ransomware?
No- both are types of malware, and can be operated as ‘Malware-as-a-Service’, but infostealers are not the same thing. Ransomware locks the victim’s system, encrypting their data, and demanding payment for the software or code to unlock it. Infostealers can operate without the victim even knowing the software was installed on their machine.
How do infostealers infect victims?
Infostealers must be downloaded and installed by the user voluntarily in most cases, so they usually masquerade as legitimate software. One common vector we have seen are video game mod programs promoted through youtube videos. The threat actor creates a video demonstrating features of a certain mod for a popular video game, and provides a link pretending to be a free download of the software. The linked program is, of course, an infostealer, and immediately exfiltrates the victims’ information when they run the downloaded program. There are many guises that threat actors use to disseminate the malware, including fake anti-virus programs, media players, accounting software, etc, and they are always devising new ones.
How do I avoid getting infected with an infostealer?
Each case is a bit different- staying safe online involves building knowledge and habits to recognize and avoid threats and scams. In this case, never download and run software if you’re not 100% sure that it is legitimate, and came from the actual website it purports to. This is easier said than done and requires staying vigilant. Scan all downloads for malware before opening using up-to-date antivirus software.