Detecting And Defending Against Malware Amid Last Year’s Flood of Infostealers

Amid the growing threat of malware, enterprises and employees alike must take responsibility for the dangers of living and working in a digitized world.

By Chip Witt, Vice President of Product Management, SpyCloud


Despite the resounding need for better password hygiene amid high-profile cyberattacks and an increase in fraud, consumers are still far from where they need to be. A recent SpyCloud report found 1.7 billion exposed credentials and 13 billion pieces of personally identifiable information leaked last year, with 64% of compromised users repeating passwords across multiple accounts. Alarmingly, 70% of users tied to breaches last year and in years prior are still using the same exposed password.

But even users and companies who do everything right –– who employ complex passwords, multi-factor authentication, password managers, and change passwords regularly –– are at risk of attack.

In 2021, a surge in information-stealing malware resulted in hundreds of millions of stolen authentication records. SpyCloud researchers regularly saw advertisements on popular underground forums from criminals looking to either buy or sell logs with specific companies’ accounts, sometimes for as low as $130. As criminals escalate their tactics, enterprises must become exponentially more vigilant.

The growing threat of malware

Malware is one of the riskiest sources of exposure because it is responsible for the most efficient account takeover attacks and the fraud that is hardest to detect.

Users may accidentally download malware by clicking on a malicious link or downloading an executable file that masquerades as something benign, like a free game or application. Once a device is infected with malware, cybercriminals can establish a command-and-control connection with their servers. The compromised device then transmits logs in real-time, with details ranging from login credentials and browser history to geolocation, installed software, autofill information and web session cookies. All the while, going undetected most of the time.

Unlike other forms of password attacks that result from methods like password spraying or credential stuffing, malware enables criminals to immediately access accounts because they have the exact password, no matter how complex. Moreover, even if the user changes their password, backdoor exploits that log keyboard strokes mean that criminals can access the new password just as easily as the old one.

From the account administrator’s side, detecting a malware-compromised device or account is nearly impossible because criminals use siphoned data to mimic browser and device fingerprints typically used to help authenticate users.

By utilizing the victim’s system information –– details such as IP address, device and session cookies and more, which enterprises are attuned to monitoring for anomalies –– attackers can successfully impersonate legitimate users without raising red flags. The only indication that an account has been compromised is often the fraud that occurs after the fact. Stolen session cookies pose a particularly high risk, as they allow criminals to use popular ‘remember this device’ features to shortcut the authentication process or skip logging in altogether.

Furthermore, infostealers, anti-detect browsers, and malware logs available for purchase on the criminal underground mean almost anyone can commit malware fraud, regardless of skill level, with relatively little investment.

To impersonate users and commit fraud, an aspiring criminal needs only purchase malware or just the output logs and follow a step-by-step guide for using an anti-detect browser to create separate browsing environments with different browser fingerprints. One common infostealer –– RedLine Stealer Malware –– is available for around $200 a month and accounted for more than 50% of the infections analyzed in SpyCloud’s report.

A new kind of vigilance

Despite the growing threat level, mitigating the risk of malware infections is often overlooked in conversations around how users can better protect themselves. While good password hygiene and multi-factor authentication are critical to limiting exposure overall, malware attacks rely on a different set of risky user behaviors.

Corporate workforces have historically been trained to expect suspicious links and attachments to be delivered through email phishing attacks. Today’s malware uses much more sophisticated camouflage, appearing from a greater diversity of sources designed to reach employees across devices and networks, not just in a traditional office setting. For example, researchers have observed instances of RedLine Stealer masquerading as legitimate downloads for software such as Windows updates.

The reality is that downloading web-based applications and software updates has become a routine practice for most users. Everything from video conference services to online gaming mods require downloads that involve some degree of risk, particularly if they leverage open-source software. Moreover, with remote work all but eliminating the boundary between work and home device use, companies have limited visibility into who is using work devices and how.

To defend against a virtually undetectable attack, companies need greater awareness of the nature and scope of the threat they face.

Businesses frequently targeted by fraudsters such as e-commerce retailers and financial services must approach the threat proactively, starting with greater visibility into their malware exposure. SpyCloud’s database of the recaptured breach and botnet data shows that stolen session cookies are often an indicator that credentials connected to an associated account have been or will be compromised. Monitoring for stolen session cookie data in botnot logs as well as exposed credentials offers the most comprehensive view of malware risk available.

However, essential first steps for all companies include urging employees to exercise caution with downloads and links across their device usage, go through multi-factor authentication each time they log in, and avoid leaving account sessions open for long periods of time.

As SpyCloud’s report demonstrates, consumers change their behavior slowly, even in the face of overwhelming evidence of a growing threat. While companies have improved their defenses, criminals’ tactics are evolving at an alarming pace. Both enterprises and employees alike must take responsibility for the dangers of living and work in a digitized world.

About the Author

Chip Witt AuthorChip Witt is Vice President of Product Management of the SpyCloud.  He has over twenty years of diverse technology experience, including product management and operations leadership roles at Hewlett Packard Enterprise, Webroot, VMware, Alcatel, and Appthority. He is currently the Vice President of Product Management at SpyCloud, where he drives the company’s product vision and roadmap. Chip works closely with field intelligence teams specializing in OSINT and HUMINT tradecraft, actor attribution and underground monitoring. Chip can be reached online on LinkedIn and at our company website

April 15, 2022

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...