Infostealer on your device? Prevent further damage with these 3 steps.

This guide is for individuals whose device has been infected with an infostealer.

What does an infostealer infection mean?

An infostealer is malware that steals sensitive information from your device. If your device is infected, consider the following:

Your device is compromised

Attackers may be able to spy on you remotely. Do not use the device until it has been fully cleaned (see step 2).

All your information may have been stolen

This may include the following data:

• Login credentials and passwords: Usernames and passwords for all accounts accessed from the device.
• Session tokens: These allow attackers to bypass two-factor authentication as long as the session is active. This applies to all logins performed on the device.
• Local files: Documents in your Downloads folder or other stored files, such as passport copies.
• Financial data: Think of credit card details and bank account numbers.
• Crypto wallets: Wallets and private keys for cryptocurrency accounts are specific targets.
• Browser data: Including browsing history and stored cookies.
• Screenshots: Infostealers can take screenshots of your screen.‍
• Device properties: Such as operating system, hostname, and IP address.

Your accounts may have been misused.

It’s possible that someone has already logged into your accounts to misuse them.

What is a session token? Session tokens are digital keys that keep you logged in. They are stored on your computer. Attackers can use these to log in directly without needing your password.

What should I do?

Step 1: Reset all your passwords from a clean device

Your device is compromised, so use a clean device for this step: an uninfected computer.

Change the passwords for your accounts, starting with the most important ones, such as:

• Password manager
• Email accounts
• Cloud services
• Social media

Tip: Force active sessions to end wherever possible so attackers can no longer access them.

Step 2: Remove the malware from your device

The virus is running on your device. It’s crucial to clean your device thoroughly before using it again. Here are two options:

‍

Option 1: Use a high-quality antivirus solution

Install a reliable antivirus solution to scan and remove the malware from your device. We recommend Sophos Home due to its strong performance in detecting infostealers.

Note: Many other antivirus solutions perform poorly against infostealers and are therefore insufficient.

‍

Option 2: Restore to factory settings

Alternatively,you can remove all installed programs (including the malware) by resetting yourdevice to its factory settings. This is an effective method, but you willessentially lose all locally stored data.

Note: Restoring a backup is risky. If themalware is part of the backup, it will be reinstalled. Only restore files thatyou are sure are safe, such as photos or contacts.

Factory reset while keeping files? Microsoft offers a safe option to remove infostealers while keeping your files. The user needs to select the “Keep my files” option, followed by the “Cloud download.” For the guide, see here.

Step 3: Limit further damage

With the above steps, you’ve limited the immediate consequences. Follow these additional measures to limit further damage:

Contact involved parties and individuals

• Employer: If you’ve used the device for professional purposes, report this to the IT team.

• Bank: If you’ve logged into your bank account from the device, inform them about the infection.

• Contacts: Alert friends and family that your accounts may have been hacked. Ask them to report suspicious messages—such as phishing links—to you.

‍

Check your accounts for suspicious activity

Check your accounts for suspicious activity and contact the account provider if you notice anything unusual. Look out for:

• Unknown logins or devices

• Unauthorized payments or orders

• Messages sent from your account that you don’t recognize

‍

Secure your device and accounts

Protect your device and accounts to prevent future infections as much as possible. Take the following actions:

• Enable multi-factor authentication (MFA) wherever possible.

• Install a good antivirus solution and keep it up to date.

• Perform system updates immediately (set up automatic updates).

• Use a password manager to create unique, strong passwords.

‍

Stay vigilant: increased risks after an infection

People who have dealt with an infostealer infection often remain a target for cybercriminals for an extended period. This is because a significant amount of personal data may have been exposed, making it vulnerable to misuse. Based on your activities, attackers can, for example, determine your interests or identify which services you subscribe to. They can exploit this information to make targeted attempts to deceive you.

This increases the likelihood of receiving phishing emails or encountering other forms of fraud. It’s therefore essential to stay alert for suspicious messages or activities.

Be aware of the risks, but don’t panic: if you’ve followed the steps outlined in this article, you are well-protected. By staying vigilant and taking appropriate precautions, you can continue to stay safe online.

In conclusion

By acting quickly and carefully following these steps, you can prevent further damage.

These actions will help you regain control of the situation and better protect your data. If you have any questions or need assistance, contact the Fraudehelpdesk for advice.

‍