October 8, 2024
|
Infostealers series
October 8, 2024
|
Infostealers series
In recent years, many organizations have implemented effective measures to secure their networks and reduce the risk of phishing attacks. As a result, the effectiveness of traditional attack methods has significantly decreased. This poses a major problem for cybercriminals, as their entire ecosystem relies on successful attacks.
As traditional methods become less effective, we see a significant increase in the use of infostealers. This shift has led criminal groups to refocus from methods like ransomware to the development and distribution of infostealers. This phenomenon is so widespread that the annual IBM X-Force Threat Intelligence Report highlights a clear shift in cybercriminal tactics: "In this era, the focus has shifted towards logging in rather than hacking in."
This is a clear "waterbed effect." As one attack method is curtailed, others rise to fill the gap. In the case of infostealers, several specific trends contribute to their rapid growth. Below, we discuss the key factors driving this risk.
A key factor is that infostealers have become increasingly easy to use. Cybercriminals have optimized the interfaces and functionalities of infostealers, making them more accessible to a broader audience, even those without extensive technical knowledge. Many of these tools are offered with user-friendly guides and support, enabling even less-experienced attackers to implement them effectively. This lowers the barrier to entry into cybercrime, allowing low-tech attackers to achieve success with relatively little effort and technical skill.
With the growth of hybrid and remote work, the use of Bring Your Own Device (BYOD) within organizations is rapidly increasing. In a survey conducted by HP, 48% of the 8,000 respondents indicated that BYOD was present in their organization, with 74% expecting this to increase.
The more poorly secured personal devices are used in business environments, the more opportunities infostealers have to cause damage. It should also be noted that the 48% estimate shown in the HP survey is likely conservative. Infostealers also have ample opportunities in organizations where unmanaged devices have access alongside managed devices. So even without an active BYOD policy, infostealers can often thrive.
In addition to the rise of BYOD, we also see the growing importance of digital identity. Many organizations are transitioning to cloud-based applications, where access to systems no longer occurs through the internal network but via identity management. This makes login credentials and session tokens a prime target for cybercriminals.
Infostealers capitalize on this by stealing session tokens and user credentials, allowing attackers to access sensitive systems without the need for complex attacks. Once they obtain the right credentials, they can easily log in and operate as if they were a legitimate user. This explains the shift to what IBM describes as “logging in rather than hacking in.”
Another reason for the growth of infostealers is the ongoing arms race between corporate antivirus solutions and malware creators. Corporate antivirus software has become increasingly advanced, particularly with the implementation of both signature-based detection—recognizing malware based on known fingerprints—and extensive heuristic-based detection, which continuously analyzes the behavior of files and processes to identify suspicious activities.
Consumer antivirus solutions tend to lag behind, especially when it comes to heuristic-based detection. This is because many consumers are unwilling to pay for premium antivirus solutions, leading to a lack of financial resources for developing more effective security technologies. As a result, these solutions are often unable to detect infostealer infections effectively, providing infostealers with an opportunity. By targeting these weaker systems with malware originally designed to bypass even corporate antivirus systems, cybercriminals have quickly achieved significant success.
Infostealers also benefit from the growing cybercriminal ecosystem. There are thriving marketplaces for stolen credentials and session tokens, which are traded in bulk by cybercriminals. These illegal markets ensure that even criminals without technical skills can easily purchase access to accounts and systems.
This ecosystem creates a flywheel effect: the more stolen data is available, the more attractive it becomes for criminals to invest in spreading infostealers. This makes it harder for organizations to protect themselves, as every successful attack only makes the problem bigger. New criminals are drawn in by the lucrative market, leading to an increase in both the demand for stolen data and the supply of infostealers.
The rapid growth of the infostealer risk is the result of multiple factors: the increasing ease of use of infostealers, the rise of BYOD, the growing role of digital identity, the arms race between malware creators and corporate antivirus solutions, and the flywheel effect of the criminal ecosystem. While it’s hard to pinpoint which factor is the most important, these trends collectively illustrate the shift into a new era and the driving forces behind the infostealer revolution.