Cyber criminals would much rather log in than hack in. That’s why infostealer malware, designed to exfiltrate user credentials, browser data, messages, documents, images, and device information, is becoming more widespread. Stealing sensitive information opens a lot of doors for cyber criminals. They can log in using the stolen credentials and bypass multi-factor authentication with hijacked session cookies. They can take over accounts, commit fraud, craft better phishing campaigns, or simply sell the data to the highest bidder on the dark web.
Infostealer malware is a growing problem for cyber security teams, and our data tells us that attacks have the potential to cause significant damage to businesses. That is because lax security policies are creating the perfect conditions for infostealer attacks to thrive.
The scale of the problem
Socura and Flare recently analysed the digital footprint of the UK’s biggest companies, looking for stolen credentials across the clear and dark web. In total, we discovered 28,000 instances of stolen FTSE 100 employee credentials that had been leaked in infostealer logs. We also found cookies that were valid for several years, giving attackers another way to log in and bypass security controls like MFA.
Ideally, the UK’s corporate giants would be immune to these threats. After all, they have the budgets and the tools to be the most secure. Yet, despite their resources, they remain vulnerable. This raises a critical point: if the industry leaders are struggling to manage their threat exposure, then small and medium-sized businesses must face similar challenges.
Contributing factors
One of the major reasons that infostealer malware has been allowed to flourish is the blurred (almost invisible) line between corporate and personal IT. Employees are using their work devices, accounts, and applications at home and for personal use. They are using their personal devices for work tasks, too.
A surprisingly common source of infostealer malware is video games, specifically infected mods for popular games like Roblox, Fortnite and Grand Theft Auto. If you have an employee using a device to check their work emails and access sensitive documents, while also using the device for gaming (themselves or a family member), that poses a significant risk.
The threat of infostealer malware is being made even worse because employees continue to use the same weak passwords across all their accounts. Our research showed that more than half of FTSE 100 companies had at least one instance of an employee credential where the password was simply ‘password’. Likewise, these weak passwords or slight variations are often recycled across services used for business and personal purposes. If malware captures a login for one site, criminals will often test that password elsewhere, potentially unlocking a treasure trove of additional data they can use to further their objectives.
Recommended actions
To protect against the risks of infostealer malware, it is beneficial to take a multi-layered approach. This means looking at ways to prevent leaks, while also ensuring the business is resilient if leaks do occur, which they inevitably will at some point.
Following NCSC guidance is a great starting point. This might include employee education on password hygiene and the rollout of password managers. We also suggest implementing multi-factor authentication across the board, ideally using phishing-resistant options like passkeys to avoid sophisticated attacks.
It is also worth reviewing how personal devices and applications are managed, as these are common entry points for malware. Updating BYOD policies and implementing conditional access policies, to block users from accessing corporate resources based on factors such as device compliance and risk level, are also recommended.
Finally, proactive threat exposure monitoring allows businesses to spot leaked credentials on the dark web before they are exploited. We suggest implementing controls to flag unusual activity and automating response actions, such as initiating password resets and isolating machines, as soon as risks are identified.
Final thoughts
The threat of leaked credentials and infostealer malware might seem daunting, but there are definitive actions businesses can take to minimise the risk. This starts with acknowledging just how widespread this threat has become.
Cyber criminals would rather log in than hack in. Let’s make sure we stop handing them the keys and making their job as simple as turning a lock.
Anne Heim is threat intelligence lead at Socura, a provider of managed detection and response (MDR) services.
