Botnets & Info-Stealers: Conclusion – Part 3
Everything that has a beginning has an end
In this last part of this three-series blog, our teams will summarize the major takeaways from our joint research and provide you with some actionable recommendations.
Moreover, the Cyrus team managed to discover a recent and unique interview with a Russian info-stealer ex-cybercrime gang leader. Prior to the gang’s arrest, his team was in charge of targeting end-users and stealing their YouTube channels using info-stealer campaigns. We translated the whole interview and will share the main insights with you.
It is all about the timing
According to Hudson Rock, once the data is received, it takes minutes for it to be parsed and integrated. It takes between 2-3 days until the data is indexed by their system and since this point, Cyrus has momentary access to this.
it is important to note that Hudson Rock receives the data at the exact same time that threat actors obtain it to perform data breaches and account takeovers so while it normally takes 2-3 days between the time a computer gets compromised to when it’s indexed, this is just due to the time it takes the threat actor to begin selling the data.
Why is this important for you? Cybercriminals work with tons of data and it takes time to sort and monetize the compromised credentials. It is much easier for us to protect you once we have the data than it is for them to attack.
Even if the detection happened only 2-3 days later – there is still a priceless time window to act and secure your device.
Need some assistance with making sure that you’re safe? Reach out to our customer care service and schedule a 15 minutes call with an expert.
4 tips on how to practice proper cyber-hygiene
- Inspect incoming emails
Before clicking on the link or opening a file always evaluate the potential risk. We learned that “too good to be true” offers may end with malicious content.
If you received an email with an immediate and “pressing” call to action – double-check the sender’s email address. None of any official companies or services will email you from gmail.com or yandex.ru addresses.
Info-stealers are typically sent through attachments you need to download so be wary of downloading and executing files you weren’t expecting.
However, if you still have a gut feeling that something is wrong with the email content, don’t do anything even if it was received from a person that you know (simply because his/her account was potentially hacked and now serves for spam/scam delivery)
- Download software from trusted sources
Don’t rely on any unofficial source. Always obtain legal software from the vendor’s official website or trusted application stores like AppStore or Google Play.
Sources that offer you a 95% discount that is valid only for the next 10 minutes is a red flag for you.
Our teams strongly recommend against using sites and forums that are known for sharing pirated content that is downloadable using torrents. Hudson Rock’s practice shows that the chance to download a file from the torrent network that is merged with an info-stealer is extremely high.
- Activate and enforce 2FA on every possible service
Adding an additional layer of authentication will significantly increase your personal security level. This step will take you only a few extra seconds, but will turn into an extremely major fence to threat actors.
Cyrus’ research team analyzed several underground sources and got a clear picture that the majority of hackers will drop trying to hack into an account that has an additional level of authentication.
Our tip is always to stick to reputable authentication apps like “Google Authenticator” rather than using SMS messages. - Monitor your digital exposure
Let the rest of the work do the professionals. Download Cyrus and activate all pro-active monitoring features that include unmatched visibility to Hudson Rock’s over 5 million compromised devices. Aren’t you curious to know if you are there?
Are you a YouTube channel owner? Read this
By now, Cyrus and Hudson Rock shared with you our own expertise in the info-stealers world. However, now we invite you to a glimpse into an interview between two ex-cybercriminals that discussed how the info-stealer attacks are used to take-over YouTube accounts.
“It’s always much easy to exploit the end-user and trick them instead of trying to hack the company itself like Google” – citation of a cybercrime gang leader that managed a team focused on malware distribution.
The fact that there is an organized gang with leaders, shift managers, regular “employees”, financial specialists, and malicious software developers is like a final stamp that shows you how big the info-stealer threat is.
The gang was sending hundreds of emails to YouTube channel owners with invites to an unbelievable “partnership” opportunity. In more special cases, the dedicated shady analysts’ team was preparing a tailored offer based on an analysis of previous YouTube channel owner partnerships.
In most cases, the offers were baked with fake documents that will increase users’ trust. The common attack vector was to offer an anti-virus software that will make the channel owner “safer”, but in fact, the installation file was merged with info-stealer and done absolutely the opposite of protecting.
According to the ex-cybercriminal, in western countries, it’s common that the influencer channels are managed by a dedicated social media manager. Typically, those managers are responsible for up to 10 YouTube channels. When this cybercrime gang had a “lucky day”, they managed to hack one manager and through him/her get access to all the channels under his/her responsibility.
Info-stealer a Mac computers
Nothing is 100% perfect. Info-stealers are made to target as many audiences as they can and Microsoft Windows is still the most popular operating system in the world. Thus, they were designed to attack Windows devices and not Mac computers.
However, if the gang member recognizes that the potential victim uses a Mac device and it is worth compromising his/her credentials – the victim will be tricked into executing the infected file on a Windows device while logged in to all targeted accounts.
The credentials life after infection
Typically the hacked YouTube channel can be resold on the black market for 500$. The gang member (in the cybercrime jargon – the worker) who managed to successfully trick and infect the end-user may get between 30%-40% of the black market’s price as a profit.
The “new” owner of the channel will try to monetize it as fast as possible. Ex-cybercriminal shared that it’s usually done with the following techniques:
- Starting live streams with crypto scams. Send “us” 1 bitcoin, and tomorrow will give you 2. Different people still continue to fall into this trap even in the middle of 2022.
- Adding casino ads, links to attract traffic to third-party sources.
- Cashing out YouTube AdSense (money from ads) profits by unfreezing them using an intentional channel block. This is done by uploading porn content to the channel that will trigger channel lock and unfreeze AdSense balance.
Hudson Rock’s company domain search tool indicates that there over tens of thousands of compromised youtube credentials originating from computers infected with info-stealers, you can check any domain for free – https://www.hudsonrock.com/are-you-compromised
Final words
Our teams believe that this joint research opened your eyes to this threat and now you have information on how to protect yourself against info-stealer attacks.
Download the Cyrus application and get comprehensive personal cybersecurity & identity protection for your email accounts, financial assets, and personal devices.
Visit the Hudson Rock website to explore various cybercrime intelligence solutions.
