Russian-speaking gangs targeting Amazon, PayPal, Steam and other accounts stole more than 50 million passwords in the first half of 2022 alone, along with banking information, cryptocurrency wallet data and other sensitive information. Detailed by cybersecurity researchers at cybersecurity firm Group-IB, this password-stealing campaign is attributed to 34 different Russian-speaking cybercriminal groups involved in distributing malware.
2.6 million compromised passwords in France
The attacks affected users living in the United States, Brazil, India, Germany and Indonesia. In France, Group-IB has just over 13,000 infected devices over the last 10 months of 2021, then around 30,000 for the first part of 2022. This would have allowed, the company estimates, to compromise more than 2.6 million passwords in France, the seventh most targeted country in these campaigns.
The cybercriminals, who relied on the Raccoon and Redline stealers, specialized in information theft malware, have infected more than 890,000 devices worldwide and stolen more than 50 million passwords in total. The most commonly stolen passwords are for PayPal accounts, followed by Amazon, Steam, Roblox, and Epic Games accounts. According to the cybersecurity firm, information relating to 103,000 bank cards and 113,000 crypto wallets was also stolen. That is to say in total, estimates Group-IB, a booty likely to be resold 5.8 million dollars on the clandestine forums.
Sites usurping the name of well-known companies
For the researchers, these password theft campaigns were organized from Telegram channels. They identified 34 active newsgroups with around 200 members. The modus operandi was well observed. First operators are responsible for directing web traffic to sites impersonating known companies, to convince victims to download malicious files.
Cybercriminals, for example, embed links to download malware in reviews of popular games or social media sweepstakes. According to Group-IB, cybercriminals also rely on file-sharing sites and social media takeovers to disseminate malware.
The latter, sold in the form of rental, lower the barriers to entry for this type of scam. “Beginners don’t need to have advanced technical knowledge, as the process is fully automated,” notes Group-IB’s Digital Risk Protection team in a blog post.
Raccoon and Redline
Raccoon stealer is the most used malware in these password attacks. While not very sophisticated, it has been very successful for years and is usually distributed using botnet networks to send phishing emails.
The Redline password stealer, available since 2020, is also popular among attackers because it is cheap and easy to use. Redline is usually distributed through phishing messages with malicious attachments designed to exploit unpatched vulnerabilities in applications.
Once the victims are infected, cybercriminals can gain access to passwords, bank details, or even cryptocurrency wallets, etc. A very detrimental type of theft for those affected, who may discover too late that their accounts have been emptied or used to make fraudulent purchases.
To avoid falling victim to these cybercriminals, Group-IB researchers recommend avoiding downloading software from suspicious or unknown sources, not saving passwords in your browser and regularly clearing cookies. The use of double authentication also makes access to an account more complex.
Source: ZDNet.com