In just two months of investigation, a form of malware known as Lumma Stealer was found on nearly 400,000 computers. This infostealer, which pilfers personal credentials like passwords, credit card numbers, bank account information, and cryptocurrency wallet logins, was ultimately shut down through a joint effort by Microsoft and law enforcement agencies.
However, the damage from Lumma has likely already been done. The infostealer has been around for years and remain popular with cybercriminals due to its efficiency and effectiveness. Even more concerning, new variants of this malware—and others like it—are constantly emerging.
Since most stolen credentials end up for sale on the dark web, it has become critical for organizations to integrate tools that can detect and protect against compromised data.
As Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, outlined in the report, Dark Web Threat Intel: Critical Pillar of Modern Cybersecurity, adopting these tools is just the first step that organizations must take to protect their operations from the growing infostealer threat.
Bundling Personal Info
A malware variation known as a digital skimmer is often used in e-commerce applications to capture payment card data during checkout. By contrast, infostealers can capture all available browsing data related to a purchase.
This breadth of access makes infostealers a particularly pernicious threat, as they can collect far more data at a much wider scale.
“Let’s say that you have session history,” Goldberg said. “If you don’t go and clear out your browsing data—which I don’t think most of us do on a regular basis—these infostealers can steal your cookies. Some of them can even steal your autofill data. Once they get access to that browsing history, they compromise all kinds of accounts.”
“Stealing your digital wallet and credit card data is just scratching the surface, and some of these emerging infostealers even have the capability to capture screenshots,” she said. “Even if you were to go in and clear the browsing history at some point, once that infostealer has infiltrated you and captures screenshots—unless you go in and change passwords that were captured in that browsing data—they’ve got your information.”
Because of these capabilities, analysts estimate that infostealers have enabled the theft of billions of personal credentials. The data they collect is easily aggregated by bad actors and frequently auctioned on the dark web.
While individual data elements are sometimes sold piecemeal, a disturbing trend has emerged in which complete bundles of personal data are sold together.
“What makes infostealers so attractive to cybercriminals is that they can package data,” Goldberg said. “They could package your date of birth, your commonly used passwords, your username, as well as your credit card data and your Social Security number. All of that could be packaged and sold so that it’s easy to take over your identity or to use bits of your information to create a synthetic identity.”
Reducing Password Dependency
To defend their customers, financial institutions must take a multi-pronged attack. One of the most important ways to neutralize the threat from malware designed to steal credentials is to reduce the use of these credentials.
“We have to get away from usernames and passwords.” Goldberg said. “The less consumers are asked to do to authenticate themselves, the better off we’re going to be. The more back-end analytics that can be used to authenticate an individual or a device, the safer we’re going to be—because humans are always going to be the weakest link.”
The vulnerability of the end user is one of the reasons why phishing attacks have become so prevalent in recent years. Bad actors can now leverage sophisticated technologies to craft messages that appear to originate from legitimate sources. For example, many consumers recently received phony texts regarding unpaid tolls that purported to be from government agencies.
Criminals will couple these convincing communications with social engineering techniques, where they pressure the user to take urgent action. These tactics—phishing and social engineering techniques—are the foundation of many fraud attacks, and infostealers are no exception.
Because these attacks have become increasingly effective, it’s imperative to move away from the traditional username/password paradigm. However, the widespread reliance on login credentials makes this shift unlikely to happen in the near future.
“The big takeaway for banks and credit unions is that we have to start looking ahead to building a bridge that’s going to carry us from where we are today with usernames and passwords into the future where we don’t have usernames and passwords,” Goldberg said. “That’s going to mean multifactor authentication. It’s going to mean behavioral biometrics and analytics that are used to complement usernames and passwords.”
“Eventually, we get to the point where we can just get rid of usernames and passwords altogether,” she said. “Another gap-filling measure is to ensure that passwords are strong and that you’re requiring your customers and members to change passwords on a fairly regular basis—at least every 90 days.”
Dark Web Intelligence
In addition to shoring up authentication methods, financial institutions must take steps to uncover what data may have already been compromised. This requires leveraging dark web threat intelligence platforms, which constantly monitor the dark web for any information to an institution’s customers or members.
“Let’s say that they have Bank of America as a client,” Goldberg said. “The dark web threat intel provider then will go out and scour the dark web—or even the open web, social media posts and those types of things—to see if there’s any anything that’s linked to Bank of America.”
“Oftentimes, Bank of America as a client will also provide the dark web provider with any kind of data that might help them pick up on accounts that may have been compromised,” she said. “Then, the dark web threat intel providers try to prevent that data from being exposed in the first place.”
A proactive feature of many dark web threat intel platforms is the deployment of analysts who infiltrate the dark web while posing as cybercriminals. These analysts monitor threat actor communications to detect emerging threats or breaches.
In some cases, they can even repurchase stolen data on the dark web and return the compromised credentials or information to the client before further damage occurs.
Getting Off the Fence
As fraud losses and systems impacts worsen, more organizations have become aware of the damaging potential of malware. However, the added impacts of infostealers mean that financial institutions must implement strong defenses now.
“One of the big takeaways is that there are still some organizations out there that have been a bit on the fence about how relevant dark web threat intel is,” Goldberg said. “These infostealers aren’t new, they’ve been around for a while. But they continue to evolve, and we continue to see new and more powerful strains of them.”
“If you weren’t convinced before, you should be convinced now that dark web threat intel is critical, because it helps you get to a position of being more proactive and predictive with cybersecurity, versus being in this reactive mode once the fraud already takes place,” she said.
