With Millions Upon Millions of Victims, Scale of Unstoppable Info-Stealer Malware Laid Bare
A recent tip-off from a government agency has shed light on the staggering scale of an unstoppable info-stealer malware, revealing millions upon millions of victims and a treasure trove of stolen credentials. The data, which was added to the privacy-breach-notification service Have I Been Pwned (HIBP), contains 284 million unique email addresses, as well as plenty of passwords snatched by credential-stealing malware.
The story begins with HIBP founder Troy Hunt, who received a mysterious message from an unnamed government agency after publishing an analysis of a separate massive collection of info-stealer logs. The message was a digital breadcrumb trail that led Hunt to a Telegram channel called Alien Txtbase, which peddled a huge amount of stolen website credentials quietly collected by info-stealer malware running on people's infected devices.
One file alone contained more than 36 million rows of data listing websites, email addresses, and passwords siphoned by malware. The trove included 284 million unique email addresses, as well as 23 billion rows of info-stealer logs and 493 million unique website and email address pairs. These records were created when hidden malware logged private information as users typed in their details and credentials on infected PCs and other devices, which was then sent to criminals to sell and exploit.
Hunt parsed the trove and added 244 million new compromised passwords to Pwned Passwords, updating frequency counts for an additional 199 million passwords already in the database. The service also introduced two new APIs that allow paid users to query stealer logs by email domain and website domain, catering to larger organizations and enabling them to return vast volumes of data.
The HIBP offering includes a five-tier subscription scheme, with prices ranging from $3.95 a month or $39.50 a year to $274 or $2,740. The more you pay, the more you can use the API, allowing users and organizations to query the service with their or their users' details and ascertain whether they've had their security breached.
Criminals obtain personal info by tricking victims into downloading info-stealer malware disguised as legitimate software updates or apps. They may also go on phishing trips, sending documents threatening legal action, before a victim opens the phony attachment or software, which downloads and executes the stealer. This malware lurks in the background, watching as users enter credentials, bank account info, and other sensitive information as they surf the web.
The recorded data is then sent to crooks who bundle it up for sale, with buyers using the harvested credentials for other criminal activities, including ransomware attacks, data theft, and cryptomining on hijacked cloud compute resources. According to cyber threat intelligence analyst Hayden Evans at ReliaQuest, "Attackers don't hack in, they log in." This sentiment is echoed by Hunt, who notes that attackers aim for the path of least resistance, with credentials obtained by info-stealer logs making it as easy for criminals to login to a service as anyone else.
The scale of this unstoppable info-stealer malware is a stark reminder of the ongoing threat landscape and the need for defenders to stay vigilant. As Evans said, "The main takeaway for defenders is the ongoing sentiment: Attackers don't hack in, they log in."