In the world of cybercrime, information is a means to an end. And that end, more often than not, is to make money. That’s why information-stealing (infostealer) malware has risen to become a major driver of identity fraud, account takeover and digital currency theft. But there are also plenty of people that live much of their daily lives online and manage to stay safe. The key is to understand how to manage digital risk effectively.
Here’s what you need to know to keep your personal and financial information out of harm’s way.
What kind of info do infostealers steal?
Many infostealers may trace their roots back to an “iconic” bit of malware: a banking Trojan known as ZeuS that was designed to covertly steal victims’ financial information, such as online banking logins. When its source code was leaked in 2011, new versions flooded the cybercrime underground and the burgeoning infostealer industry began in earnest, with developers upgrading and customizing its capabilities. Today there are versions built for just about every computing platform, from Windows PCs and macOS computers to iOS and Android devices.
What infostealers are after depends on the variant. Logins, and session cookies, which could enable hackers to bypass multifactor authentication (MFA), are a popular target. One report estimates that 75% (2.1 billion) of the 3.2 billion credentials stolen last year were harvested via infostealers. Other personal and financial information that could be at risk includes:
- Payment card, bank account and cryptocurrency details (e.g., crypto wallet keys)
- Other financial information, including insurance or government welfare (Social Security) details
- Browser data including browsing history and any “saved form” data, which could include payment details and passwords
- System information about your computer or device
- Files stored on your machine/device including photos and documents
- Other personal information including names, phone numbers and addresses
How do infostealers work?
The aim of the malware is to silently and rapidly find sensitive information on your machine or device and then exfiltrate it to a server under the control of your attackers. It will do so by raiding web browsers, email clients, crypto wallets, files, applications and the operating system itself. Other techniques include:
- “Form grabbing,” which involves searching for logins that you may have entered into an online form, before it is send to a secure server
- Keylogging, which requires the malware to record every keystroke you make
- Taking screenshots of your home screen/desktop in case any sensitive information is displayed there
- Stealing information from the machine’s clipboard
Once the information has been sent back to an adversary’s server, often within seconds, they typically package it up into logs and sell it on the cybercrime underground. Fraudsters will then use it to:
- Hijack your online accounts (e.g., Netflix, Uber) with a view to stealing information stored inside and/or selling access to others
- Commit identity fraud, such as applying for credit in your name, or using your cards/bank account to purchase items
- Commit medical/insurance fraud by obtaining medical treatment/drugs in your name
- Commit tax fraud, by filing tax returns in your name and receiving refunds
- Target your contacts with phishing messages or spam
- Drain your financial accounts of funds
How do I get compromised with infostealers?
The first step towards staying safe from infostealers is understanding how they spread. There are various vectors for attack, but the most common include:
- Phishing emails/texts: A classic social engineering technique to persuade you to click on malicious links or open an attachment, triggering a covert malware install. The threat actor will usually impersonate a trusted person, brand or authority, including spoofing the sender domain and featuring official logos.
- Malicious websites: These may be used as part of a phishing campaign or as a standalone “asset”. You may be encouraged to download/click on a link, or the site might trigger a “drive-by-download” simply by visiting it. Threat actors could use black hat SEO techniques to artificially elevate these sites to the top of the search rankings, so they’re more likely to appear when you look for something online.
- Compromised websites: Sometimes, hackers compromise legitimate websites that you might visit, by possibly exploiting a browser vulnerability or inserting a malicious ad (malvertising). Both techniques could trigger an infostealer installation.
- Malicious apps: Legitimate-looking software may hide a nasty info-stealing surprise when downloaded. The risk is particularly acute for mobile devices that often aren’t protected as well as computers. Watch out especially for pirated versions of popular games and other software.
- Social scams: Scammers may try to trick you into clicking through on an enticing social media ad or post, possibly by impersonating a celebrity or even hijacking a legitimate account. Beware offers, prize draws and exclusive content that seem too good to be true.
- Game mods/cheats: Unofficial modifications or cheats for video games may contain infostealer malware. In fact, ESET researchers found several GitHub repositories claiming to offer farm bots and auto-clickers designed to speed up gameplay on Hamster Kombat. In reality, they were hiding the Lumma Stealer variant.
Peering into the threat landscape
As ESET reveals in its H2 2024 Threat Report the infostealer market is big business for cybercriminals. The malware-as-a-service (MaaS) model has democratized access to many of the infostealer variants available on criminal marketplaces. Some of these sites also offer log parsing services to help cybercriminals extract data from raw logs for use or resale.
As ESET observes, these pieces of malware are under constant development. Formbook, for example, has been in operation since 2021. But most recently, it has added sophisticated obfuscation techniques, designed to make sampling and analysis by security researchers more difficult. Other variants, like RedLine, have disappeared due to coordinated law enforcement action. But others, such as Lumma Stealer, simply move in to take their place. This variant recorded a 369% annual increase in detections in H2 2024, according to ESET research.
How do I steer clear of infostealers?
So how can you make sure an infostealer doesn’t end up on your mobile device or computer? Given that the malware can be spread via multiple methods, you’ll need to remember several best practices. These include:
- Install and keep security software updated on all your devices. This will go a long way to keeping you safe from infostealers and other threats.
- Be phishing-aware, which means that you should avoid clicking on links in any unsolicited messages or open attachments. Always check with the sender independently that they definitely sent you the message. Sometimes, hovering above the “sender” domain may reveal that an email was in fact sent by someone else.
- Only download software/apps from official online stores. Although malware sometimes creeps onto Google Play, it’s usually taken down swiftly, and these official channels are way safer than third-party stores. Also, avoid downloading any pirated or cracked software, especially if it’s offered for free.
- Keep OS and apps up to date, because the latest software version will also be the most secure.
- Use caution on social media and remember that if an offer seems too good to be true, it usually is. If you’re suspicious, try Googling it to see if it may be a scam. And remember that the accounts of friends and celebrities can also be hijacked to promote scams. Avoid clicking on any unsolicited links.
- Enhance security at login by using strong, unique passwords for each account, stored in a password manager. And switch on multi-factor authentication (MFA) for all of your accounts. This will offer some protection against certain infostealer techniques such as keylogging, although it is not 100% foolproof.
The trick is to layer up these measures, thus reducing the avenues for attack open to threat actors. But remember too that they will continue to try and develop new workarounds, so vigilance is key.