In November 2024, millions of customers of the American pop culture merchandise and clothing line “Hot Topic” were notified that their data had been compromised in a data breach. The breach notification service “Have I Been Pwned” (HIBP) alerted 57 million affected individuals about the compromise of their data.
According to HIBP, the breach occurred on October 19, following which on October 21, a threat actor operating under the alias “Satanic” claimed responsibility for the breach. In a post on the cybercrime forum BreachForums, Satanic claimed to have stolen 350 million user records from Hot Topic and its affiliated brands, Box Lunch and Torrid.
According to a report by cybersecurity firm Hudson Rock, the hacker initially attempted to sell the database for $20,000 and demanded a $100,000 ransom from Hot Topic to take down the information. When TechCrunch accessed a post on BreachForums, Satanic was seen offering the database for $3,500.
The menace called infostealing
As per Check Point Software’s October 2024 Global Threat Index, cybercriminals are leveraging increasingly sophisticated attack methods, including the strategic deployment of infostealers. The report also took cognisance of the ‘Lumma Stealer’ malware, which leverages fake CAPTCHA pages to infiltrate systems through phishing and cracked game downloads. The method has surged to the fourth rank in Check Point’s monthly global malware rankings. Once installed, the menace exfiltrates sensitive data, underscoring the effectiveness of today’s infostealers.
The report revealed that a new version of ‘Necro’ has moved up to the second position in the mobile malware rankings for October. This malware infects popular applications, including game mods available on Google Play, and has affected over 11 million devices. It employs obfuscation techniques to evade detection and utilises steganography to conceal information within another message or physical object, thereby hiding its payloads.
Then there is “New Glove Stealer,” a malware that can bypass Google Chrome’s Application-Bound (App-Bound) encryption to steal browser cookies. Gen Digital security researchers, who first spotted the threat element, while investigating a recent phishing campaign, said the information-stealing malware is “relatively simple and contains minimal obfuscation or protection mechanisms,” indicating that it’s very likely in its early development stages.
The Glove Stealer .NET malware has the capability to extract and exfiltrate cookies from both Firefox and Chromium-based browsers, such as Chrome, Edge, Brave, Yandex, and Opera. It can also steal cryptocurrency wallets from browser extensions, 2FA session tokens from applications like Google, Microsoft, Aegis, and LastPass, as well as password data from Bitwarden, LastPass, and KeePass. Additionally, it can access emails from mail clients like Thunderbird.
But that’s not all. Cybercriminals are deploying a new information-stealing malware on Windows systems that employs the “Bring Your Own Vulnerable Driver” (BYOVD) technique. This allows them to extract victims’ browser data, software information, credit card details, and other system data.
Kaspersky Labs, a global cybersecurity company, has recorded over 11,000 attack attempts in the past three months across several countries, including Russia, China, India, Brazil, and Mexico. The malware is also equipped with a crypto-mining module, which exploits the computing resources of infected systems.
Let’s explore the vast cybercrime industry that thrives on information-stealing attacks, targeting large businesses and posing a significant threat to the global economy.
A dark mess
According to award-winning investigative journalist Joseph Cox, on October 20, a hacker who calls themselves Dark X said they logged in to a server and stole the personal data of 350 million Hot Topic customers. The following day, Dark X listed the data for sale on an underground forum. The day after that, Dark X said Hot Topic kicked them out.
“Dark X told me that the apparent breach, which is possibly the largest hack of a consumer retailer ever, was partly due to luck. They just happened to get login credentials from a developer who had access to Hot Topic’s crown jewels. To prove it, Dark X sent me the developer’s login credentials for Snowflake, a data warehousing tool that hackers have repeatedly targeted recently. Alon Gal from cybersecurity firm Hudson Rock, which first found the link between infostealers and the Hot Topic breach, said he was sent the same set of credentials by the hacker,” Cox wrote in his article for The Wired, as he interacted with the threat actor.
“The luck part is true. But the claimed Hot Topic hack is also the latest breach directly connected to a sprawling underground industry that has made hacking some of the most important companies in the world child’s play,” he added.
In July 2024, hackers broke into a cloud platform used by AT&T and downloaded call and text records of “nearly all” of AT&T’s cellular customers across a several month period. In the same month, American ticket sales and distribution company Ticketmaster witnessed a similar incident, in which the hacking group that breached the venture released new data that they said could be used to create more than 38,000 concert tickets nationwide, including to sought after shows like Olivia Rodrigo, Bruce Springsteen, Hamilton, Tyler Childers, the Jonas Brothers, and Los Angeles Dodgers games.
The data would allow someone to create and print a ticket already sold to someone else, creating a situation where Ticketmaster and venues might have to sort out which tickets are from legitimate buyers and which are not. A month prior, American Luxury retailer Neiman Marcus confirmed a data breach after hackers attempted to sell the company’s database stolen in recent Snowflake data theft attacks, impacting 64,472 people.
As per Cox, these were not entirely isolated incidents, as through these attacks, infostealers created a complex yet dangerous online ecosystem, where crimes are now getting committed through the method of pillaging passwords and cookies stored in the victims’ browsers.
“There are Russian malware coders continually updating their code; teams of professionals who use glitzy advertising to hire contractors to spread the malware across YouTube, TikTok, or GitHub; and English-speaking teenagers on the other side of the world who then use the harvested credentials to break into corporations. At the end of October, a collaboration of law enforcement agencies announced an operation against two of the world’s most prevalent stealers. But the market has been able to grow and mature so much that now law enforcement action against even one part of it is unlikely to make any lasting dent in the spread of infostealers,” he wrote.
How the ecosystem works
Online publication 404 Media interviewed malware developers, tracked the hackers who use the stolen credentials, and reviewed manuals instructing recruits how to spread the malware, thereby mapping out the infostealing ecosystem. The result is the creation of an innocent-looking piece of software, downloading which can lead to a data breach at a multibillion-dollar company, putting Google and other tech giants in an ever-escalating cat-and-mouse game with the malware developers to keep people and companies safe.
The infostealer ecosystem starts with the malware itself. Dozens of these exist, with names like Nexus, Aurora, META, and Raccoon. The most widespread infostealer is one called RedLine, according to cybersecurity firm Recorded Future. As per Cox, having a prepackaged piece of malware also dramatically lowers the barrier to entry for a budding new hacker. The administrator of LummaC2, which Recorded Future says is in the top 10 of infostealers, told the investigative journalist that it welcomes both beginner and experienced hackers.
“Initially, many of these developers were interested in stealing credentials or keys related to cryptocurrency wallets. Armed with those, hackers could empty a victim’s digital wallets and make a quick buck. Many today still market their tools as being able to steal Bitcoin and have even introduced OCR to detect seed phrases in images. But recently those same developers and their associates figured out that all of the other stuff stored in a browser—passwords to the victim’s place of work, for example—could generate a secondary stream of revenue,” Cox wrote.
“Malware developers and their clients have realised that personal and corporate credentials, such as login details for online accounts, financial data, and other sensitive information, hold substantial value on the black market,” RussianPanda, an independent security researcher who follows infostealers closely, told 404 Media, while adding, “Infostealer creators pivoted to capture this information too.”
As per 404 Media, “The exhaust from cryptocurrency-focused heists has created an entirely new industry in its own right that is causing even more destruction across healthcare, tech, and other industries.”
There are “Data Stealers,” who then sell these collected sensitive credentials and cookies, or logs, via bots on Telegram. What is known to us as a messaging app, becomes a critical selling point for these teams. The entire process from buying to selling stolen logs is automated through Telegram bots.
In July 2024, Google Chrome rolled out an update that was designed to lock applications other than Chrome, including malware, from accessing cookie data. For a moment, Chrome had the upper hand against the infostealers. Some malware developers made their grievances known more explicitly. In one update, a pair of infostealers included the phrase “ChromeF**kNewCookies” in their malware’s code.
“It’s a little bit of a cat and mouse, but we think that this is a game that we want to play as much as we can if the outcomes remain positive. We want to protect users, obviously, as much as we can,” Will Harris, staff software engineer on Google Chrome, told Cox.
However, the fight is not that easy, when it comes to securing Chrome itself and protecting more data from infostealers. Tech giants, especially Google, need to practice “disruption,” where the researchers will remain constantly updated about the evolving piracy techniques adopted by the infostealers and devise the perfect countermeasures, which in turn will constrain the tools available to the malware developers.
“Releasing updates one by one on a regular basis, rather than all at once, can also disrupt the malware developers. Instead of the criminal coders knowing what they need to fix all in one go, they can never be quite sure what Google is going to clamp down on next, wasting more of their time,” wrote Cox.
“After one update, a lot of the customers of a stealer were extremely upset, and they [the malware makers] had to work nights on coming up with a bypass,” Harris said, while adding that one stealer, called Vidar, increased the cost of its tool too. The staff software engineer on Google Chrome also pointed specifically to Microsoft Windows to explain his point.
“When you compare Windows with, say, Android, or ChromeOS, or even macOS, those platforms have this strong application isolation. Meaning, that malware has a harder time stealing data from other parts of the system. We noticed on Windows, which was obviously a major platform for us, that these protections didn’t exist,” Harris noted.
A dazzling recruitment drive
Any prolific ecosystem thrives on an equally good recruitment drive. This is what Cox wrote about how the universe of infostealers gets new people onboard, “With electronic rap music playing in the background, a man stretches his hands forward and leans back into a chair. The camera pans around their alleged apartment: huge floor-to-ceiling windows in a large dining room, wood-panelled floors, and a funky chandelier. In another shot, the man opens a laptop, types away, and then takes a sip of what looks like w****y. The implication: This could be you if we work together. This is one of a dizzying number of adverts on an underground forum called Lolz where ‘traffers’ (organised cybercrime workers responsible for redirecting victims’ traffic to malicious content operated by others) gather to look for new recruits.”
Mostly the “traffers” section-related recruitment happens to onboard “contractors,” who can help spread the malware or get traffic, with teams vying for attention in a crowded marketplace. Each tries to one-up the other with outrageous advertising and branding. They use names such as “Billionaire Boys Club,” “Baphomet,” and “Chemodan.” The adverts include animated GIFs of computer-generated luxury cars or private jets. Another for “Cryptoland Team” shows a knight in armour looking down at a skeleton in a hood writing on parchment paper.
“Each team’s ad lists the brand of infostealers its members use, what split of the profits a collaborator can expect, and whether they allow an associate to take any extra exfiltrated logs. And most explicitly say that anyone they work with is prohibited from targeting the Commonwealth of Independent States (СНГ), or former members of the Soviet Union, which includes Belarus, Ukraine, and Russia. Collaborators then leave reviews and screenshots proving they’ve made money working with the team,” Cox wrote.
Many of these teams accept new applications through their own Telegram bots. Some of them require applicants to have prior experience. For instance, 404 Media successfully navigated the application process for two trafficker teams by answering a few basic questions. Following that, the bots provided links to the manuals of the respective teams, which outline how to spread the malware.
One manual from Baphomet recommends bundling the stealer into cheating software for Roblox. It then describes how to set up a YouTube video advertising the cheat, and by extension helps propagate the malware.
Another advert from a traffic team claims to work with TikTok, Telegram, Instagram, Twitter, Facebook, YouTube, YouTube Shorts, email newsletters, bloggers, and influencers. Many of the team’s manuals reflect this and recommend distributing info stealers via other social media sites or point to GitHub as an effective trafficking method.
In October 2024, a global operation, supported by Eurojust (European Union Agency for Criminal Justice Cooperation), led to the takedown of servers of infostealers. The infostealers, RedLine and META, targeted millions of victims worldwide, making it one of the largest malware platforms globally. An international coalition of authorities from the Netherlands, the United States, Belgium, Portugal, the United Kingdom and Australia shut down three servers in the Netherlands, seized two domains, unsealed charges in the United States and took two people into custody in Belgium.
Will the news send any shockwave in the world of infostealing? Probably not, unless and until such coordinated global-level law enforcing operations become the new normal, in sync with the efforts of the tech giants to hire more researchers who constantly keep themselves updated with the evolving piracy techniques and come up with the perfect countermeasures.