Infostealers have transformed cybercrime – here’s how CISOs can stop them

COMMENTARY: Information-stealing malware has come a long way in the past two decades. The category traces its roots back to banking trojans like the infamous Zeus variant.

However, infostealers today do a lot more than harvest online banking logins. They’re foundational to a wide range of cybercrime, nurturing an underground economy measured in the trillions of dollars.

By flooding the market with stolen credentials — subsequently used for account takeover, ransomware and much more — infostealers represent a critical threat to virtually every type of organization. It’s in all of our best interests to prevent their spread and minimize their impact.

Uncover an underground economy

Infostealers typically target web browsers, email clients, cryptocurrency wallets, files, applications and operating systems to find monetizable data. It’s often payment card and bank details, secure systems information, photos and documents, or personal data like phone numbers, names and addresses. Most popular are credentials including passwords and session cookies. One estimate claims that 75% (2.1 billion) of 3.2 billion credentials stolen in 2024 were taken via infostealers.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Their popularity is understandable. After all, why would attackers risk setting off the alarms by breaking down a front door if they could get in quietly with a key? Session cookies and tokens have the added advantage of helping threat actors bypass multi-factor authentication (MFA). Stolen credentials might offer initial access, or help adversaries perform lateral movement once inside networks — perhaps enroute to data theft, encryption and extortion.

This mini-infostealer industry has been made possible not just by the malware itself, but the supply chain that’s grown up around it. Malware developers have lowered the barrier to entry for threat actors by offering their software as a service to all-comers. Customers might log in to bespoke dashboards to configure the malware, track campaigns, renew their subscription, and much more. Once the stolen data has been sent back to their server, they’ll typically package it up and sell it on. Minimum fuss, minimal effort, maximum return.

Tap a lucrative source of data

To ensure profits and data continue to flow into this cybercrime economy, adversaries are constantly refining their approaches. One big trend has been developing malware that targets macOS users: We recorded a 400% annual increase in these infostealers last year.

Multiple families including Atomic, Poseidon, and Banshee were spotted in the wild — many hidden in free/cracked malware or distributed via malicious ads. Their developers are constantly looking for ways to bypass built-in macOS controls like Gatekeeper. It’s telling, for example, that just 5% of macOS stealer infections came after September 2024, when Apple removed the Gatekeeper bypass used by many of the variants.

Of course, there are many more ways that macOS and other computer users could get infected with infostealer malware. Other common threat vectors are phishing emails or SMS messages, malicious websites, SEO poisoning and social media. There’s no such thing as a safe platform anymore.

Layer up defenses

Fortunately, best practice security steps will go a long way to preventing compromise by an infostealer. These are opportunistic attacks looking to take advantage of gaps in awareness and protection. Better resilience and improved user training programs can help a great deal.

On the resilience front, that means patching or updating all applications and operating systems promptly and — where possible — automatically. The same should go for any BYOD devices and machines used at home. Stricter policies around acceptable home working device types and practices may also help to lock down the risk of infection. However, if certain actions risk impacting productivity, employees need to understand why they’re being asked to follow them — or else shadow IT use may start to surge.

Those same team members should regularly receive training sessions using live simulations of real-world phishing attacks. Companies should also encourage users to only download or install apps from legitimate stores. Ad blocking tools will help to lock down another distribution channel for infostealers, while it’s important to deploy endpoint security to detect and block malware early on.

Make prevention the first priority. And while that’s not always possible, CISOs should also develop a comprehensive incident response plan. Determine what has been taken. Security teams can then reset any potentially compromised credentials and manually revoke user sessions to prevent cookie reuse. If financial data gets impacted, freeze or monitor relevant accounts for suspicious activity.

Play the long game

An estimated 4.3 million machines were infected by infostealers last year, but even this figure could represent just the tip of the iceberg. It’s claimed three families were responsible for 75% of these infections, two of which were disrupted by law enforcement in recent months.

Unfortunately, we won’t see the end of infostealers anytime soon. Teams can tackle this new reality by doing the following: build cyber resilience into response efforts, improve detection and response, and continuously update threat awareness.

Keith McCammon, co-founder and CSO, Red Canary

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.