In the family of Cyber threats, they do not quantify your files, they do not ask for ransom, and yet, they open the way to some of the most destructive cyber attacks in business. THE infostealersor CLEPTOGICIELS, have become the tool for the predilection of cybercriminals to collect and resell mills of access identifiers to the chain, a threat which operates without noise.
A discreet but systemic threat
Installed without the user’s knowledge via trapped files (cracks, extensions, attachments), they silently aspire all the identification data present on the contaminated post: saved passwords, session cookies, navigation historic, VPN identifiers, access to messaging, internal panels, and sometimes even screen files or screenshots. Once the collection is completed, this information is exfiltrated to remote servers, then integrated into databases called logssold or exchanged in cybercriminal marketplaces.
A structured industry, derisory costs
Each log is in the form of a file containing thousands of identifiers in raw format. These files are sold for a few euros per unit, sometimes in bundles by country, by company or by sector of activity. Platforms such as Russianmarket, 2easy or Genesis Market (dismantled in 2023) industrialized the model and in parallel, of Initial Access Brokers (IAB) specialized in the resale of premium access, targeting vulnerable companies but with high value.
A gateway to the final attack
Once the identifiers have been recovered, the exploitation can take several forms:
- Direct connection to internal systems without alert, for lack of MFA or behavioral surveillance.
- Use of access for scraper massively databases.
- Sale of access to more organized groups, which will then unroll a ransom, extortion, or massive exfiltration of sensitive data.
Accessible tools, non -sensitized victims
Infostealers are not reserved for experienced cybercriminals. Their use is within the reach of any malicious actor with 50 euros and a tutorial. The most worrying is the ease with which employees, in business or in the public service, can be infected. A free browser extension, cracked office software, a dummy update, just one click.
In the majority of cases, the victims are unaware of the compromise. Malware does not slow down the machine, does not appear, and does not change any visible behavior. The danger is often invisible until a major event reveals the extent of the damage.
An answer still too partial
Despite the magnitude of the phenomenon, few organizations have adapted their security policies, most of the budgets remain oriented towards perimeter protection or anti-ransomware solutions, which leaves a critical blindness of post-infection detection and the analysis of data leaks.
Some measures to apply:
- Prohibit reused passwords,
- Systematically apply the MFA,
- Set up behavioral detection solutions (EDR/NDR),
- Train all employees in the risks linked to infostealers.
