Botnets & Info-Stealers: A View From the Hacker’s Eyes – Part 2
Over 5 million already infected devices and counting….
Recap of our first blog:
In our previous post, we provided a general overview of info-stealers and showed how an offer that is “too good to be true” can result in a full device compromise. Simply clicking on the wrong link can cost you browser-stored passwords, as well as additional sensitive information that can be abused by cybercriminals for nefarious purposes.
Through our partnership with Hudson Rock, the cybercrime intelligence company that has collected data from 5+ million compromised machines, Cyrus now informs customers whether their email address was involved in an info-stealer attack.
In this second of three blogs, Cyrus and Hudson Rock will reveal how the info-stealer threat looks from the hacker’s point of view — the spread of malware across different countries, the most affected online services in day-to-day sectors, and the effect the Work-From-Home era has on the use and spread of info-stealers.
Which regions do cybercriminals target?
To better understand which geographical regions are on cybercriminals’ radar, our teams poured over the data and found some interesting facts.
According to Hudson Rock, 15% percent of one million randomly selected, compromised devices belong to Americans.
In parallel, the Cyrus research team analyzed chatter in closed cybercrime communities and discovered that threat actors strongly prefer attacking wealthier countries over poorer ones.
In the heatmap below we can clearly see that the info-stealer campaigns are coming from different parts of the world. However, the hackers always prefer to first monetize Western regions like the U.S. and Europe.
Heatmap generated from the geolocations of 1,000,000 compromised computers worldwide
Let’s see the numbers:
After a device was successfully infected and the data was sent to a cybercriminal, it is then time to start checking the data for any hot commodities.
The higher the number of compromised accounts, the easier it is for cybercriminals to monetize them or use them for illicit activity. Down below you’ll see some examples of how malicious actors use this gathered information.
Now let’s dive into the data and see which companies and services were most affected in each sector. This will help us understand how your everyday accounts and services are in fact a treasure trove for an opportunistic hacker.
Financial Sector
Once a financial account has been taken over, the race for a money or cryptocurrency cash-out is on. As we can see, PayPal clearly leads the list: this reflects the underground methodology of researching and developing tools/tutorials for the most commonly used services. These compromised accounts can also be used to transfer funds in order to cover one’s tracks.
| Company | Total compromised devices |
| PayPal | 632,436 |
| Stripe | 16,413 |
| Coinbase | 79,731 |
| Binance | 59,545 |
| Bank of America | 12,173 |
Social Media
Mainstream social accounts are typically sold in bulk (for several U.S. dollars each) on the black market. An account with a detailed history looks much more genuine for spamming or influence campaigns than a new one. The accounts that belong to influencers or high-net individuals are subject to takeover attacks and ransom requests (usually starting at 500 USD).
| Company name | Total compromised devices |
| 1,950,718 | |
| 782,433 | |
| 736,531 | |
| 392,487 | |
| 129,097 |
Email Providers
Compromised email addresses are used to send spam and phishing emails via somebody else’s digital identity. This exploits the email recipient’s trust as they believe that the message comes from a legitimate contact.
As the info-stealer data below demonstrates, Gmail still dominates the email market, and therefore remains the provider with the most compromised devices. Basically, nobody is safe.
Tip of the day: Cyrus strongly advises activating 2FA (two-factor authentication) to minimize as much as possible the risks of an email account takeover.
| Company name | Total compromised devices |
| 2,494,219 | |
| Outlook | 1,578,503 |
| Yahoo | 350,924 |
| iCloud | 37,755 |
| Protonmail | 19,812 |
Online Marketplaces
Online marketplaces often suffer from account takeovers stemming from info-stealers. As a result, hackers use compromised, reputable eBay accounts in order to advertise fraudulent listings or even abuse Amazon accounts to reroute packages that victims ordered.
| Company name | Total compromised devices |
| Amazon | 645,894 |
| eBay | 152,735 |
| AliExpress | 197,821 |
| Shein | 17,664 |
| Alibaba | 75,838 |
Streaming Services
Stolen streaming account credentials are in high demand; they are put up for sale on dedicated underground forums and black markets for only a few U.S. dollars.
| Company name | Total compromised devices |
| Netflix | 742,142 |
| Twitch | 598,862 |
| Spotify | 377,638 |
| Disney Plus | 99,600 |
| Hulu | 59,391 |
How compromised work accounts skyrocketed in the WFH era
As “Work-From-Home” models gained popularity across the world due to COVID-19, the incidence of employees accessing sensitive corporate domains via their personal computers increased in tandem. For instance, some employees tend to use their work-related devices for personal needs, which can increase the odds of an info-stealer attack.
However, other employees are simply not familiar with cybersecurity protocols (or ignore them) and therefore utilize their personal computers to access their work environment or corporate network.
As we learned from the first blog, all the login credentials are always captured as clear-text passwords. This means that if you mix your work and your personal life on the same device and then fall prey to an info-stealer attack, the keys to your company’s network are gently dropped on the hacker’s table.
More advanced cybercriminals prefer not to focus on selling an additional 10,000 compromised Netflix accounts, and instead patiently wait until they find some juicy corporate access points that can then be sold in underground hacking communities. This is the inception of the next data breach or another more severe cybersecurity incident that will occur in the future.
Take your personal cybersecurity to the next level
Using the Hudson Rock cybercrime intelligence feed, Cyrus is able to determine which compromised links are affiliated with corporate accounts and can serve as sensitive corporate access points.
In the event you have been alerted to an info-stealer attack which involves your work-related accounts, we strongly advise you to immediately change your passwords and report this incident to your IT department.
In the screenshot below, our joint analysis shows the number of sensitive work-related login links belonging to Hewlett Packard. These were discovered in Hudson Rock’s cybercrime database.
For example, the first link leads to the corporate “File Transfer Service.” Do you really want your personal and work information to be easily available to malicious actors?
Corporate URLs accessed by compromised employees are used by threat actors for network takeovers
What can we learn?
- Hackers know how to extract financial, retail and social media account credentials from infected devices. They will first try to monetize those from the most developed countries.
- If you work from home or from any remote location, make sure you’re familiar with your employer’s cybersecurity policies and protocols. The best practice is to separate work and personal computers.
- The key to mitigating any potential cybersecurity incident is to continuously monitor your devices and to take action as soon as possible. Download Cyrus and activate our protection solutions.
In the final part of this three-part blog series, our teams will cover the time that it takes to discover an infection (this will surprise you!), as well as provide you with a comprehensive summary. We will even share insights from an ex-cyber criminal who is an expert in info-stealer attacks.
