How Infostealers Pillaged the World’s Passwords

These platforms take cues in how they are designed and marketed from legitimate information and ecommerce services. Many markets and forums charge a subscription fee to access the platform and then have different pricing structures for data depending on how valuable it might be. Currently, Gray says, Russian Market has so much stolen data available from infostealers that it has been charging a low flat rate, typically no more than $10, for any subset of data users want to download.

“Organizations have become very good with their security, and people have also gotten more savvy, so they’re not the best targets now,” for traditional tailored attacks, Gray says. “So attackers need something that’s less targeted and more based on what they can make use of. Infostealers are modular and often sold on a subscription basis, and that evolution probably aligns with the rise of modern subscription services like video streaming.”

Infostealers have been especially effective with the rise of remote work and hybrid work, as companies adapt to allowing employees to access work services from personal devices and personal accounts from work devices. This creates opportunities for infostealers to randomly compromise individuals on, say, their home computers but still end up with corporate access credentials because the person was logged into some of their work systems as well. It also makes it easier for infostealing malware to get around corporate protections, even on enterprise devices, if employees are able to have their personal email or social media accounts open.

“I started paying attention to this once it became an enterprise problem,” Mandiant’s Carmakal says. “And particularly around 2020, because I started seeing more intrusions of enterprises first starting from compromises of home computers—through phishing of people’s Yahoo accounts, Gmail accounts, and Hotmail accounts that were totally unrelated to any enterprise targeting, but to me look very opportunistic.”

Victoria Kivilevich, director of threat research at security firm KELA, says that in some instances criminals can use cybercrime markets to search for the domain of potential targets and see if any credentials are available. Kivilevich says the sale of infostealer data can be considered as the “supply chain” for various types of cyberattacks, including ransomware operators looking for the details of potential victims, those involved in business email compromise, and even initial access brokers who can sell the details along again to other cybercriminals.

On various cybercrime marketplaces and Telegram, Kivilevich says, there have been more than 7,000 compromised credentials linked to Snowflake accounts being shared. In one instance, a criminal has been touting access to 41 companies from the education sector; another cybercriminal claims to be selling access to US companies with revenues between $50 million and $8 billion, according to Kivilevich’s analysis.

“I don’t think there was one company that came to us and had zero accounts compromised by infostealer malware,” Kivilevich says of the threat that infostealer logs provide to businesses, with KELA saying infostealer-related activity jumped in 2023. Irina Nesterovsky, KELA’s chief research officer, says millions of credentials have been collected by infostealing malware in recent years. “This is a real threat,” Nesterovsky says.

Carmakal says there are multiple steps companies and individuals can take to protect themselves from the threat of infostealers and their aftereffects, including using antivirus or EDR products to detect malicious activity. Companies should be strict on enforcing multifactor authentication across their users, he says. “We try to encourage people to not synchronize passwords on their corporate devices with their personal devices,” Carmakal adds.

The use of infostealers has been working so well that it is all but inevitable that cybercriminals will look to replicate the success of compromise sprees like Snowflake and get creative about other enterprise software services that they can use as entry points for access to an array of different customer companies. Carmakal warns that he expects to see this result in more breaches in the coming months. “There’s no ambiguity about this,” he says. “Threat actors will start hunting for infostealer logs, and looking for other SaaS providers, similar to Snowflake, where they log in and steal data, and then extort those companies.”