Skip to main content

Banks, credit unions, insurance brokers, and other financial institutions are at the epicenter of an increasing cybersecurity threat: infostealers.

In the recent past, infostealers have moved from a ‘consumer vulnerability’ to an organizational one. With a perfect storm of circumstances at hand—sensitive financial data, password managers, and continued blurry boundaries between personal and professional device use—businesses need to stay alert about preventing infostealer attacks.

What is an Infostealer? 

Infostealers are a form of malware-as-a-service (MaaS). Threat actors are employing all sorts of methods to infect devices with infostealers, including phishing emails with software embedded in the attachments, adding code to a browser or app meaning it’s available for download, and even impersonating brands and then advertising to consumers.

Once installed, an infostealer sneakily steals all of a user’s information (thus the info + stealer namesake). This data might include “autofill” field data, cookies, credentials from password managers, cryptocurrency wallets, and just about any piece of stored information the average person uses. From there, threat actors are a single click away from the user’s credit card and bank account information, IP addresses, date of birth, social security number, and any other piece of marketable personal information. In a heartbeat, the threat actors can sell this data, and it can then be used by all sorts of other cybercriminals.

…And that’s just for one user. 

When organizations are the target of an infostealer campaign, threat actors target entire customer databases, trade secrets, enterprise-wide financial records, and everything specific to users, as well.

The Perfect Storm…

(1) Hybrid Work and BYOD Policies Mean Increased Vulnerabilities 
While there are many opinions about hybrid and remote work models, one thing is for certain: there are new risks related to changing device policies. Upwards of 80% of respondents felt that using a single device for both work and personal purposes improves work-life balance—an indicator that even when acceptable user policies are clear, personal devices are likely still being used for work-related activities. This means the likelihood of an employee making a mistake, clicking a phishing link, or unintentionally downloading an infostealer that can then affect your business is dramatically increased.

(2) Password Managers Exposed
Once a machine is infected with an infostealer, threat actors are almost guaranteed to target password managers. Infostealer malware is particularly insidious in this capacity: it can gain access to all saved credentials, as well as monitor and steal new ones as they are entered.

As Mike Wilson writes for Credit Union times, “because password managers typically link the URL where the respective credential is used, infostealers not only expose the credential in plain text but also all of the websites or services associated with it.”

The impact is dramatic; threat actors can leverage the data in future credential stuffing and password spraying attacks.

(3) MFA is no Magic Bullet
IT professionals a decade ago may have thought multifactor authentication (MFA) could prevent infostealers, but unfortunately, it’s useless. Due to the fact that MFA is often skipped if the device is ‘trusted’ (usually accomplished via cookies), and cookies can be stolen by infostealers, it renders MFA ineffective.

The Path Forward: What To Do

(1) Strong Boundaries
To address concerns raised around hybrid work and personal device use, companies certainly have a range of options to choose from. One consideration is to provide employees with work devices, so there is a natural separation between personal and professional. If that’s not possible or realistic, acceptable use policies and device monitoring can certainly be useful steps to take.

(2) Employee Education
While ‘security training’ might get a bad reputation sometimes, investing in “ongoing education about how to discern the differences between a fake and a legitimate website is vital” as Wilson points out. With advancements in AI-generated websites, emails, graphic design, and more, identifying malicious material has become more difficult for every user. Checking whether the website is using legitimate SSL/TLS certificates, and understanding what source the link is coming from are good steps to drill into employee training programs.

(3) Strong Threat Intelligence
The only way to stay ahead of threat actors is to listen at the source. Monitoring the Dark Web can provide institutions with threat intelligence. When it comes to novel and targeted attacks, or zero-day exploits, Dark Web monitoring can help, offering a proactive approach to identifying threats even before conventional measures even detect them.

If infostealers are starting to worry you, now is the time to take action.