Stealer-as-a-Service Attack Claims 50 Million User Passwords

Image of a pair of gloved hands resting on a laptop.
Cybercriminals use stealer-as-a-service software to steal user information and payment credentials.
Source: Unsplash

Group-IB, a cybersecurity company, has issued a press release reporting that 34 Russian cybercrime gangs have compromised 50-million accounts through a stealer-as-a-service scam. The scammers have stolen user passwords from sites like Steam and Roblox, and payment information and credentials from Amazon, PayPal, and cryptocurrency wallets. 

In total, the cybercriminals compromised over 890,000 devices in over 111 countries. Aside from looting passwords, the stealers also harvested over 2 billion cookie files, 113,204 crypto wallets, and 103,150 payment cards.

Under the stealer-as-a-service model, the cybercriminals primarily used Redline (23 groups) and Racoon (8 groups) software to obtain user information. While three groups used custom software. 

The attackers communicated in Russian on Telegram groups, and mainly targeted users in the US, Brazil, India, Germany, and Indonesia.

How Do Stealer-as-a-Service Scammers Operate?

Stealer-as-a-service is a progression from a popular scam known as Classiscam, which Group-IB’s Computer Emergency Response Team first identified in 2019. During the pandemic, in 2020, classiscam activity peaked due to high demand for digital services. 

While the two scamming models differ, they’re similar administratively. 

The administrators at the top of the chain provide malware to the lower-ranking malware scammers, in exchange for stolen information or financial rewards. The lower-ranking cybercriminals drive individuals to fake websites of well-known organizations, where they get them to download the malware. 

But despite the scale of the attack, it is not overly technical or specialized in its approach.   

According to the Group-IB’s Emergency Response Team:

“The popularity of schemes involving stealers can be explained by the low entry barrier. Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it. For victims whose computers become infected with a stealer, however, the consequences can be disastrous.”

The Corporatization of Cybercrime 

Information-stealing software is rented out on the dark web for between $50 – $150. Redline and Racoon are both high-end information-stealing software. Stealer-as-a-service and other models like it (such as ransomware-as-a-service) even come with customer support, guides, and other assistive services. 

The image shows a hooded man, wearing glasses, sitting in front of a laptop, holding a phone in his left hand while his right hand rests on the keyboard.
Cybercriminals use messaging channels, like Telegram, to launch organized attacks against businesses
Source: Pexels

Cybercriminals provide the malicious software, run extortion and payment systems, and even manage the reputation of the brand. To reduce their exposure, experienced cybercriminals will hire affiliates on generous commissions to deploy their ransomware/spyware/malware in user devices. 

This is where they’ll use Telegram and other less-regulated messaging platforms to enforce their administrator/worker model. During these scam operation, experienced cybercriminals oversee their teams’ operations through the messaging platforms. 

In other words, stealer-as-a-service operates under the guise of professionalism. Branding their services gives the cybercriminals a “good reputation” as an “effective hacking service”. 

Professional cybercriminal groups design and develop entire malware packages, which are usually inspired from previously successful heists. 

Cybercrime Packages for All

Of course, free-to-use and -download malware packages, targeting vulnerable networks and requiring little programming knowledge, are abundant. 

But, mass theft packages are more sophisticated and the loot from these attacks is sold for a lot more. For example, a loot of 50 million compromised passwords sells for $5.8 million on the dark web. 

Recently, in one of the UK’s largest ever spoofing frauds, scammers spoofed over 70,000 British people using services from the iSpoof website. Scammers paid a subscription to use iSpoof’s technology that let them impersonate as employees from Barclays, Santander, NatWest and Nationwide banks. 

Authorities from Europol and other international agencies were able to take down the spoofing site after a counter fraud operation, but not before they’d scammed 50 million pounds from unsuspecting victims. 

Protecting Yourself From Info Stealers

The image shows a screen with the hand cursor pointing at the word 'security,' which is written in blue.
Scammers used iSpoof website’s services to scam 50 million pounds from unsuspecting users in the UK.
Source: Pexels

As is evident from the story of iSpoof and similar spoofing attacks, it’s easy to replicate websites of well-known organizations. However, consumers continually fall for the same scams despite the fact that security recommendations against these types of attacks exist. 

In a spoofing attack, a fake website impersonates a well-known company to give itself a veneer of credibility. Scammers will embed links to such websites into YouTube gaming reviews and lotteries on social media, or share them directly with NFT artists. 

Since these scam-as-a-service attacks are a continuation of the Classiscam model, experts recommend verifying sites with a HTTPS header and being aware how these hacking agencies operate.  

Network Security for SMBs

Business owners will need to train their employees to avoid stealer-as-a-service attacks. One surefire way to prevent these is by limiting downloadable files on the network to a reapproved list. Additionally, employers can prevent users from downloading malware files. 

The following are the top recommendations for business owners to prevent such attacks:

  • Avoid downloading from suspicious sources
  • Avoid clicking on links from instant messaging applications 
  • Checking HTTP source headers 
  • Using isolated virtual machines or alternative operating systems for installation 
  • Avoid saving passwords in browsers 
  • Clearing cookies regularly 

Business owners need a proactive approach to network security. Moreover, they can use software to automate the above procedures, which will eliminate the possibility for employees to make mistakes.

Web filtering in the workplace can reduce malware risk by 32%. Web filtering greatly enhances business network security by restricting certain sites on your network.  

Related to web filtering in the workplace is email engineering. The business email compromise (BEC) is still one of the easiest and more profitable types of scams for cybercriminals. During this type of a scam, scammers will entice the employees to download malware and give up sensitive company information. 

In this regard, companies need to regularly scan and protect the business network with a dedicated provider. Since scams become potentially more damaging with time, it’s better that companies identify them sooner. 

Lastly, many firms would do better to evolve their network security practices with time. A static approach to network security, in the face of more sophisticated malware attacks, will only lead to reaping severe consequences.  

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top