With the growing threat of malware, businesses and employees alike must be held accountable for the risks of living and working in a digitalized world.
By Chip Witt, Vice President of Product Management, SpyCloud
Despite the growing demand for better password hygiene amid the rise of high-profile cyberattacks and fraud, consumers are still far from where they want to go. lately Spycloud Report Last year, we discovered 1.7 billion compromised credentials and 13 billion personally identifiable information leaked, and 64% of infected users repeated passwords across multiple accounts. Surprisingly, 70% of users involved in breaches last year and before were still using the same compromised password.
However, users and companies that use complex passwords, multi-factor authentication, password managers, and do everything right, change their passwords on a regular basis are also at risk of attack.
In 2021, there was a surge in information theft malware, with hundreds of millions of authentication records stolen. SpyCloud researchers regularly saw advertisements on popular underground forums from criminals trying to buy and sell logs with specific company accounts. as low as $130. As criminals intensify their tactics, businesses must become exponentially more vigilant.
Increased threat of malware
Malware is one of the most dangerous sources of exposure because it is responsible for the most effective account takeover attacks and the most difficult to detect scams.
Users can inadvertently download malware by clicking on malicious links or downloading executable files that pretend to be harmless, such as free games or applications. When a device is infected with malware, cybercriminals can establish a command and control connection with the server. The infected device then sends logs in real time along with details ranging from login credentials and browser history to geographic location, installed software, autofill information, and web session cookies. In the meantime, it goes undetected most of the time.
Unlike other forms of password attacks, which are caused by methods such as password spraying or credential stuffing, malware gives criminals instant access to your account, no matter how complex, because they have the correct password. Also, a backdoor attack that logs keyboard input even if a user changes their password means criminals can access the new password as easily as the old one.
From an account administrator’s point of view, it’s nearly impossible to detect a device or account infected with malware because criminals use siphoned data to mimic browser and device fingerprints typically used to authenticate users.
By leveraging the victim’s system information (details such as IP address, device, and session cookies), attackers can coordinate businesses to monitor for anomalies, successfully impersonating legitimate users without raising red flags. The only indication that an account has been compromised is often a scam that happens after the fact. Stolen session cookies are at a particularly high risk because they allow criminals to use the popular ‘Remember This Device’ feature to shorten the authentication process or even skip login altogether.
Additionally, the information stealers, anti-detection browsers, and malware logs available from Underground Criminals mean that almost anyone, regardless of skill level, can commit a malware scam with a relatively small investment.
To impersonate users and commit fraud, aspiring criminals can simply purchase malware or output logs and follow a step-by-step guide to using an anti-detection browser to create separate browsing experiences with different browser fingerprints. One of the common intelligence stealers, RedLine Stealer Malware, available for around $200 a month, accounted for more than 50% of infections analyzed in SpyCloud reports.
a new kind of border
Mitigating the risk of malware infection is often overlooked in conversations about how users can better protect themselves despite increasing threat levels. While good password hygiene and multi-factor authentication are important to limit overall exposure, malware attacks rely on a variety of risky user behaviors.
Corporate personnel have been trained to anticipate delivery of suspicious links and attachments through email phishing attacks in the past. Today’s malware comes from a wider variety of sources designed to reach employees across devices and networks, not just traditional office environments, using much more sophisticated disguise. For example, researchers have observed instances of RedLine Stealer masquerading as legitimate downloads for software such as Windows Update.
The reality is that downloading web-based applications and software updates has become a routine practice for most users. Everything from video conferencing services to online gaming modes requires downloads that involve some risk, especially if you’re leveraging open source software. Additionally, working remotely and blurring the boundaries between work and home devices, businesses have limited visibility into who is using their work devices and how.
To defend against attacks that are virtually undetectable, businesses must become more aware of the nature and scope of the threats they face.
Enterprises targeted by scammers, such as e-commerce retailers and financial services, need to proactively approach threats, starting by increasing visibility into malware exposure. SpyCloud’s database of stolen breaches and botnet data reveals that stolen session cookies are often an indicator of compromised or will-be-compromised credentials associated with the account involved. Monitoring of stolen session cookie data and compromised credentials in Botnot logs provides the most comprehensive view of available malware risk.
But the first step, essential for any company, involves urging employees to pay attention to downloads and links throughout device use, go through multi-factor authentication every time they log in, and avoid leaving account sessions open for extended periods of time.
As SpyCloud’s report shows, consumers are slowly changing their behavior despite overwhelming evidence of an increasing threat. Businesses have improved their defenses, but criminal tactics are evolving at an alarming rate. Both businesses and employees must take responsibility for the risks of living and working in a digitalized world.
About the author
Chip Witt is Vice President of Product Management at SpyCloud. He has over 20 years of diverse technical experience, including product management and operational leadership roles at Hewlett Packard Enterprise, Webroot, VMware, Alcatel, and Appthority. He currently serves as SpyCloud’s Vice President of Product Management, leading the company’s product vision and roadmap. Chip works closely with a field intelligence team specializing in OSINT and HUMINT transactions, actor attributes, and subsurface monitoring. The chip can be accessed online at: LinkedIn and on our website https://www.spycloud.com/.
Fair Use Notice: “Fair use” laws allow other authors to make limited use of the original author’s work without permission. Under 17 US Code § 107, “It is not copyright infringement to use copyrighted material for purposes such as criticism, commentary, news reporting, education (including multiple copies for classroom use), scholarship, or research.” As a matter of policy, fair use is based on the belief that the public is free to use portions of copyrighted material for the purposes of comment and criticism. Fair use privileges are perhaps the most important restrictions on the exclusive rights of copyright owners. Cyber Defense Media Group is a news reporting company that reports cyber news, events, information and more free of charge on its website Cyber Defense Magazine. All images and reporting are conducted exclusively in accordance with the fair use of US copyright laws.