After analysing nearly 20 million stealer logs for sale on dark web markets and Telegram channels, cybersecurity experts found about 400,000 business credentials stolen by infostealer malware, with almost 50% having access to Gmail user logins.
A research report from cybersecurity firm Flare states that infostealer malware has been one of the “core trends in cybercrime” over the past three years, with threat actors targeting corporate credentials, banking information and consumer products.
Most notably, over 376,000 stealer logs contained access to popular business applications used by corporations worldwide. This includes Salesforce, Hubspot, Amazon’s AWS, Google Cloud and DocuSign. Additionally, over 48,000 logs had access to “okta.com,” which businesses use for identity controls and user authentication in web services, applications and devices.
According to the report, despite at least 1.91% of the 19.6 million analysed stealer logs, business logins are the most highly valued. However, consumer applications represented the majority of credentials found in these logs, with 46.9% having access to Gmail logins. This represents over eight million devices being infected by infostealer malware.
Other consumer-focused apps found in logs include Facebook (35%), Microsoft’s Live accounts (34%), Amazon (13%), Netflix (17%), Roblox (15%), Instagram (18%), Steam (13%), Paypal (12%), Spotify (9%), Apple (8%) and more.
Gaming accounts are also a significant target, with many infostealer variants designed to steal Steam credentials not based in browsers. “Many players of the popular game Counter Strike Global Offensive have hundreds or thousands of dollars worth of ‘weapon skins’ on their accounts which can be sold or traded for a profit, creating another lucrative source of revenue for log harvesters and buyers,” the report states.
Logs are sold for around $10-$15, whereas logs with personal and business banking accounts go for about $112 on markets such as Genesis Market.
Flare also reports that more than 200,000 logs contain access to OpenAI credentials, more than Group-IB reported in June, with infostealer malware reportedly stealing over 101,000 ChatGPT accounts. This is due to AI chatbot accounts storing valuable information from conversations, including user input and AI responses. Stolen user accounts risk having personal conversations, sensitive business information, or confidential software code leaked in targeted attacks if cybercriminals obtain these logins.
Typically used infostealer variants, including Redline, Raccoon, Titan, Aurora and Vidar, infect user devices and steal login information stored in browsers. These are packaged into stealer logs and sent back to the threat actor to be used for further attacks or sold on dark web markets such as Russian Market. The report notes that these logs are also commonly distributed through public and private Telegram channels, providing “terabytes of stealer logs per month.”
For a better look at what infostealer malware is and how to protect yourself from it, read on.
- Can iPads get malware? Here’s what you need to know
- Spyware explained: What is it and how to remove it
What is infostealer malware?
Information-stealing malware, or infostealer, is a type of malware that gathers information on an infected device to send to a threat actor. It targets login credentials saved in browsers, browsing history, credit card and crypto wallet information, location data, device information, emails, social media platforms and instant messaging clients – anything valuable.
Stolen data is collected in logs and sent to the attacker. Account details and banking card information are the most sought after, as threat actors can use this information for themselves or sell it on dark web markets. Infostealer logs are hugely profitable in underground marketplaces, making them a popular form of malware.
The first sign of infostealers came about in 2007 when cybersecurity analysts detected a Trojan malware called ZeuS, or Zbot. This program aims to steal user credentials and banking information on Microsoft Windows devices to exploit individuals and organisations. It affected users around the globe, leading to the theft of billions of dollars due to its ease of installation and availability as a Malware-as-a-Service (MaaS).
From there, variants of infostealer malware became more widespread. This includes the infamous Racoon infostealer, Vidar, Mars Stealer, BlackGuard and Redline Stealer. Recently, security researchers have seen them being used to steal ChatGPT accounts. This showcases the rise of malicious threat actors using infostealers to gain private data.
How does infostealer infect devices?
Like most malware, including spyware or Trojans, infostealers are distributed through phishing emails, fake websites, dodgy ads on web pages, malicious downloads or attachments, apps and more. Because they can be hard to detect, it’s a good idea to set up the proper protection on your online accounts and devices.
Inforstealers can be used in many ways, whether through Trojans, keyloggers or stalkerware. The malware can use keylogging to record what a user types on a device, web injection scripts that add fields on forms to sneakily send information to the attacker and cookies to steal saved passwords.
Because infostealers can be bought for a fee, it even allows criminals with limited knowledge of software to use the malware. For example, according to cybersecurity website BlackBerry, Raccoon, also called Racealer, could be bought for around $75 per week or $200 per month as MaaS on dark web forums. It can be used to steal autofill passwords, browser cookies, history, and cryptocurrency wallet information and to obtain a user’s location.
How do you remove an infostealer?
A simple click can lead an unsuspecting user to download an infostealer. From email attachments to suspicious websites tricking users into clicking dangerous links, threat actors will do whatever they can to dupe their victims.
That’s why staying a few steps ahead is a good idea. Using antivirus software to perform security scans and protect your email will help keep infostealers at bay. For an in-depth look at how to detect and remove malware on iPhone and Android or Chrome, we’ve got you covered. You can also check out how to stop scam emails to keep your account safe.
- How to block scam email in Gmail
- How to block scam email in Outlook
- How to stop spam email in Yahoo Mail
Use antivirus software to protect your device
The best antivirus software can help detect and protect you from all types of malware, including infostealers.
Many AV come with a suite of security features that can get rid of virus, malware, ransomware, spyware or any malicious software that burrows into your device or web browser. Some antivirus software, such as Bitdefender, offers security subscriptions specifically for devices such as a PC, iPhone or Android, making it a more cost-effective option.
We recommend trusted AV software including Avast One, Norton 360 and Bitdefender, as they can efficiently detect and remove malware on your device. Check out our thoughts on each AV below.
- Norton 360 Platinum review: Security multiplied
- Bitdefender review: All-in-one premium security
- Avast One review: Strong antivirus for free!
Perform a safety check
1. On Google Chrome, click on the three vertical dots in the upper-right corner and select Settings.
2. Select Privacy and security in the right-hand toolbar.
3. Under Safety check, click Check now (or the arrow to perform it again).
If Chrome finds any issues, you’ll be able to tap on the option and follow the instructions to see how to handle the it. For those who don’t want to give malware hiding on web pages any chances, you can also turn on Advanced protection.
1. In Privacy and security, click on Safe Browsing under Safety Check (or Security under Privacy and security).
2. Select Enhanced protection to turn it on.
