As many as 34 Russian-speaking gangs distributing information-stealing malware below the stealer-as-a-service mannequin stole no fewer than 50 million passwords within the first seven months of 2022.
“The underground market worth of stolen logs and compromised card particulars is estimated round $5.8 million,” Singapore-headquartered Group-IB stated in a report shared with The Hacker News.
Aside from looting passwords, the stealers additionally harvested 2.11 billion cookie information, 113,204 crypto wallets, and 103,150 fee playing cards.
A majority of the victims are positioned within the U.S., adopted by Brazil, India, Germany, Indonesia, the Philippines, France, Turkey, Vietnam, and Italy. In whole, 890,000 units in 111 nations have been contaminated throughout the time-frame.
Group-IB stated the members of a number of rip-off teams who’re propagating the knowledge stealers beforehand participated within the Classiscam operation.
These teams, that are lively on Telegram and have round 200 members on common, are hierarchical, consisting of directors and staff (or traffers), the latter of whom are accountable for driving unsuspecting customers to info-stealers like RedLine and Raccoon.
This is achieved by establishing bait web sites that impersonate well-known firms and luring victims into downloading malicious information. Links to such web sites are, in flip, embedded into YouTube video opinions for standard video games and lotteries on social media, or shared straight with NFT artists.
“Administrators normally give staff each RedLine and Racoon in trade for a share of the stolen information or cash,” the corporate stated. “Some teams use three stealers on the identical time, whereas others have just one stealer of their arsenal.”
Following a profitable compromise, the cyber criminals peddle the stolen data on the darkish internet for financial acquire.
The improvement highlights the essential function performed by Telegram in facilitating a spread of legal actions, together with functioning as a hub for saying product updates, providing buyer help, and exfiltrating information from compromised units.
The findings additionally observe a brand new report from SEKOIA, which disclosed that seven completely different traffers groups have added an up-and-coming data stealer generally known as Aurora to their toolset.
“The recognition of schemes involving stealers may be defined by the low entry barrier,” Group-IB defined. “Beginners don’t have to have superior technical data as the method is absolutely automated and the employee’s solely activity is to create a file with a stealer within the Telegram bot and drive site visitors to it.”