Fighting Back Against the Infostealers Threat
Today’s hybrid work environment is giving bad actors an advantage in their mission to steal data from enterprises.
Threat actors’ methods for accessing sensitive financial data are always evolving, with infostealers a prime example. Infostealers extract sensitive data from infected devices that are then sold and published as logs on the Dark Web for threat actors to utilize for a range of criminal activities. While infostealers are often categorized as a consumer vulnerability, attention is now shifting to enterprises – making it critical that credit unions are cognizant of and prepared to combat the threat.
Infostealers 101
Infostealers are a form of malware-as-a-service (MaaS) that, once installed, surreptitiously exfiltrate browser “autofill” field data, browser cookies, accounts/credentials from password managers, cryptocurrency wallets and many other forms of sensitive data. These sources provide hackers with access to data such as credit card information, bank account information, IP addresses, dates of birth, Social Security numbers and login credentials.
When organizations are the target, bad actors can obtain customer databases, trade secrets, financial records and other sensitive information to sell on the Dark Web. Once an infostealer has infected a system that has access to the corporate resources that house this information – for example, VPNs, internal websites and corporate accounts – gaining access to these becomes trivial.
According to Kaspersky, 24% of malware sold as a service are now infostealers and Accenture found that it was among the most discussed malware topics on the cybercriminal underground last year. It’s evident that this growing threat shows no sign of abating and, equally troubling, neither does the variety of methods hackers are employing to infect devices. These include:
- Sending a phishing email that entices people to open an attachment with the software embedded in the document;
- Adding the code to a browser, browser extension or mobile app and making it available for download via app stores; and
- Impersonating brands using search engine advertisement services – something the FBI has recently warned against.
Hybrid Work Environments Increasing Vulnerabilities
Unintentionally installing infostealers through software is another common way to infect devices. For example, video game mod programs promoted through YouTube masquerade as a free software download while, in reality, immediately stealing sensitive data upon install.
Given today’s hybrid work environment, this introduces new risks to credit unions. Fifty-eight percent of employees believe the pandemic increased the use of personal devices in their work, a Beyond Identity survey found. And according to a report from Staffbase, 78% of respondents feel that using a single device for both work and personal purposes improves work-life balance. This means an employee could unwittingly download infostealer malware via a personal site that would then expose all of the corporate data contained on the device.
Password Managers Exposed
Once a machine is infected, password managers are an obvious target given their “keys to the kingdom” access. Infostealer malware can exploit vulnerabilities in these solutions to gain access to all saved credentials, and also monitor and steal new ones as they are entered.
Because password managers typically link the URL where the respective credential is used, infostealers not only expose the credential in plain text but also all of the websites or services associated with it. This can fuel credential stuffing and password spraying attacks against additional sites or organizations. This could lead to a negative reputational impact and damage customer and employee relationships if a credit union is found to be the source of the breach.
What’s more, infostealers pose a password security threat even if a password manager is used to manage personal accounts and does not contain corporate credentials. Due to the pervasive problem of password reuse, there’s a possibility that the credentials for the user’s corporate account are the same or very similar to those used for personal accounts.
MFA Limitations
Multi-factor authentication has historically been viewed as a means of password hardening but it’s no magic bullet, particularly in the fight against infostealers. In fact, the latter can actually be used to bypass MFA. For example, MFA is often skipped if the device has previously logged into the account and is trusted – something that is generally accomplished by dropping a cookie. These cookies can be stolen by the malware and reused by threat actors, thereby rendering MFA ineffective. In addition, any active login session IDs can be stolen in a similar manner and in some cases used as-is by the attacker.
What Should Credit Unions Do to Safeguard Sensitive Data?
One potential consideration is to set some parameters around personal device usage. Studies have shown that employees often have unsafe apps installed on mobile devices used for work, and that they tend to visit gaming, dating, gossip or other recreational sites that may be infostealer entry points.
Ongoing education about how to discern the differences between a fake and a legitimate website is vital. Some threat actors are incredibly sophisticated, which means it’s not always easy to spot malware through poor grammar, blurry logos or other markers we may associate with earlier threats. Checking whether the website is using legitimate SSL/TLS certificates, understanding what source the link is coming from, and ensuring the “Contacts” section contains a physical address and phone number can all help evaluate whether a website is real. And until you are completely sure that’s the case, never download or run any software. In addition, it’s important to scan downloads for malware before opening the program with up-to-date antivirus software.
Evolving Threats Demand Threat Intelligence
Because the infostealers landscape is rapidly evolving, the most important preventative action is to continually research the threat and the tactics bad actors are using to infect victims. Monitoring the Dark Web can provide credit unions with this intelligence and help companies stay abreast of the latest trends.
While traditional defenses like antivirus software are important, they can sometimes falter against infostealers, particularly those that are novel, targeted or take advantage of zero-day exploits, which elude immediate detection and for which current patches may not be available. This is another area in which Dark Web monitoring can assist, offering a proactive approach to identifying threats even before conventional measures detect them.
Infostealers are only set to become a more pressing security priority in the coming months. For example, on Russian Market alone the number of infostealer logs available for purchase increased by 150% in less than nine months, according to a Secureworks report – from two million in June 2022 to over five million in February 2023. As this threat vector continues to grow, it’s vital that credit unions are prepared to fight back.
Mike Wilson is Founder and CTO for Enzoic, a cybersecurity company based in Boulder, Colo.