Stop Infostealers Now: A Critical Security Alert

A critical security alert is sounding across the digital landscape, driven by the escalating threat of infostealers. These malicious programs are fueling the current ransomware surge, with stolen data logs available for purchase on dark web marketplaces for as little as ten dollars. At the recent ISACA Europe 2025 conference, Tony Gee, a principal cybersecurity consultant at 3B Data Security, emphasized the urgent need for organizations to implement tactical defenses against these pervasive threats.

The evolution of infostealers traces back to the early 2000s, when keyloggers like Zeus and SpyEye became common tools for cybercriminals seeking initial access to systems. By the early 2010s, a new generation of infostealers, including Vidar, Trickbot, and Emotet, emerged with enhanced capabilities like cryptocurrency extraction. Today, the market is flooded with diverse infostealer families boasting various features, though LummaC2 and Redline continue to dominate the field. Stealer logs, the harvested data these programs produce, are now a cheap commodity on Russian-language dark web platforms, according to Gee’s research.

Gee stressed that while foundational security practices are essential, they are insufficient on their own. Basic measures include adopting a zero trust architecture, enforcing strong password policies, maintaining robust network segmentation, and providing comprehensive security awareness training. To effectively counter infostealers, he proposed six specific technical controls organizations should adopt.

Regular password changes, while sometimes inconvenient for users, serve as a powerful defense. By updating credentials frequently, the passwords exposed in stolen logs become obsolete before attackers can exploit them. Gee explained that this simple step neutralizes the value of the stolen data by the time a threat actor attempts to use it.

FIDO2-enabled multifactor authentication (MFA) received a strong recommendation from Gee, particularly for accounts with administrator privileges. This technology significantly raises the barrier for attackers, preventing them from gaining access even when they possess comprehensive user logs stolen by infostealer malware.

The forced authentication process requires employees to re-authenticate whenever they attempt to access sensitive areas within company systems or online services. This policy disrupts attackers who might otherwise use stolen session cookies to move freely across a network, forcing them to navigate multiple authentication hurdles.

Gee also advised organizations to implement shorter session token expiration times. Reducing the lifespan of authentication tokens enhances security, especially in bring-your-own-device (BYOD) environments. He cited one company that mandates all cookies expire daily, a policy that, while potentially annoying for users, substantially boosts security.

Another critical measure is cookie replay detection on corporate browsers. This security mechanism identifies and blocks fraudulent attempts to reuse stolen or intercepted session cookies. By analyzing cookie usage patterns, timestamps, and unique identifiers, it ensures cookies are only used within their intended context, preventing unauthorized access.

Finally, Gee recommended deploying automated systems for suspicious and impossible travel monitoring. These systems track connection locations and generate alerts for logins that occur from geographically distant places within an implausibly short timeframe. Such activity is a clear indicator of potential compromise, allowing security teams to respond swiftly to threats.

(Source: Info Security)