Infostealers in the device: how to recognize them and what to do?
Infostealer is malware that steals passwords and sensitive data. Whether you want to find out if you have it on your device or were referred to this page by members of the MU Cybersecurity Team, learn how to detect it and what to do next.
In this guide, you will learn about the signs of an infostealer infection and how to respond if your device is affected. For more details on how infostealers work, check out our article. An infostealer can infiltrate your device in various ways, such as downloading a malicious file or visiting an infected website. However, your login credentials can also be compromised in other ways—for example, if you sign in on a shared or foreign device that has already been compromised. In such cases, an attacker can capture your credentials without your own computer or phone being directly infected.
What are the symptoms of an infostealer on the device?
Infostealers work unobtrusively, and their detection is not straightforward. However, certain signals may indicate an infection:
- Unusual logins: services such as Google, Microsoft, or university systems may alert you to login attempts from an unknown location.
- Changes to your account settings: you've received a notification about a password change.
- Suspicious system activity: you notice higher system utilization (more memory usage), windows briefly pop up and quickly disappear, and you discover messages you didn't write.
Cybercriminal “USDoD” leaked sensitive data from Airbus, exposing personal information of 3,200 vendors. The breach was traced back to an employee at Turkish Airlines whose computer was infected with RedLine Infostealing malware.
What should I do if I suspect an infostealer on my device?
An infostealer on your device poses a risk to any accounts you've logged into from it, so it's crucial to act immediately. In the following links of the eight steps, you will find detailed instructions that will show you how to perform the individual actions correctly.
-
1. Verify any leaked login credentials.
For example, through Have I Been Pwned. Although not a panacea, it is sufficient as a first check. However, even a negative result does not mean you can be 100% sure your passwords have not been leaked.
-
2. Check the equipment
Run a thorough scan with an updated antivirus. A quick scan is not enough; run a detailed scan of your system.
-
3. Consider reinstalling the system
If a compromise is suspected, the surest solution is to reinstall the system. Use clean data; do not restore suspicious files, applications, or settings.
-
4. Change passwords from a secure device
Use another (trusted) device that has not been infected. Login credentials must be changed for university services and all other accounts (online banking, email services, etc.).
-
5. Create new and unique passwords
When creating passwords, do not use compromised ones and set a different one for each account.
-
6. Use a password manager
With a password manager, you'll securely store and generate strong, unique passwords for each account.
-
7. Enable multi-factor authentication (MFA)
Setting up multi-factor authentication adds an extra layer of protection and minimizes the risk of account misuse.
-
8. Let us know
If you are an MU user and suspect an infostealer, please get in touch with the Masaryk University's cyber security team with your scan results or any suspicious activity so we can help you evaluate the situation.
Changing your name and password is not enough!
We warn that if your device is infected with an infostealer, simply changing your login credentials is not enough - the malware may still be tracking you.
Is the infostealer dangerous even after removal?
Even after removing the infostealer, the stolen data can be used to log into your accounts and commit financial fraud or other attacks on your contacts.
Conclusion
If unsure of the following action, contact your site IT administrator, an outside technician, or a professional service. In the event of an incident, such as another device being compromised, report the situation to the Masaryk University's cybersecurity team immediately - the sooner the security team intervenes, the less damage there will be. The fact that infostealers are a current threat is confirmed by a warning, which you can read here.