These platforms take inspiration from legitimate information and e-commerce services to design and market their products. Many marketplaces and forums charge a subscription fee to access the platform and then have different pricing structures for the data, depending on its value. Currently, Gray says, Russian Market has so much stolen data available to information thieves that it has been charging a low flat fee — typically no more than $10 — for any subset of data that users want to download.
“Organizations have become very good at security and people have become more savvy as well, so they are now not the best targets” for traditional, customized attacks, Gray says. “So attackers need something that is less specific and more based on what they can use. Information stealers are modular and often sold on a subscription basis, and that evolution likely aligns with the rise of modern subscription services like video streaming.”
Data thieves have been especially effective with the rise of remote work and hybrid work, as companies adapt to allow employees to access work services from personal devices and personal accounts from work devices. This creates opportunities for data thieves to randomly compromise people, for example, on their home computers, but still end up with corporate login credentials because the person was also logged into some of their work systems. It also makes it easier for data-stealing malware to bypass corporate protections, even on company devices, if employees can keep their personal email or social media accounts open.
“I started paying attention to it when it became an enterprise issue,” says Mandiant’s Carmakal. “And particularly around 2020, because I started seeing more intrusions into businesses that started with attacks on home computers, through phishing attacks on Yahoo, Gmail, and Hotmail accounts of people who had no connection to any business target, but to me seemed very opportunistic.”
Victoria Kivilevich, director of threat research at security firm KELA, says that in some cases cybercrime marketplaces can be used by criminals to search for potential targets’ domains and see if credentials are available. Kivilevich says that selling data by information thieves can be thought of as the “supply chain” for several types of cyberattacks, including ransomware operators seeking potential victims’ details, those involved in business email compromise, and even initial access brokers who can sell the details back to other cybercriminals.
According to Kivilevich, more than 7,000 compromised credentials linked to Snowflake accounts have been shared across various cybercriminal marketplaces and on Telegram. In one case, a criminal has been promoting access to 41 companies in the education sector; another cybercriminal claims to be selling access to US companies with revenues between $50 million and $8 billion, according to Kivilevich’s analysis.
“I don’t think there’s been a single company that’s come to us that hasn’t had any accounts compromised by data-stealing malware,” Kivilevich says of the threat that data-stealing records pose to businesses, and KELA claims that Infostealer-related activity increased in 2023. Irina Nesterovsky, research director at KELA, says that millions of credentials have been harvested by information-stealing malware in recent years. “This is a real threat,” Nesterovsky says.
Carmakal says there are multiple steps businesses and individuals can take to protect themselves from the threat of data thieves and their consequences, including using antivirus or EDR products to detect malicious activity. Companies should be strict about enforcing multi-factor authentication for their users, he says. “We try to encourage people not to sync passwords from their corporate devices to their personal devices,” Carmakal adds.
The use of data stealers has worked so well that it’s almost inevitable that cybercriminals will look to replicate the success of waves of attacks like Snowflake and get creative with other enterprise software services that they can use as entry points to access a variety of different client companies. Carmakal warns that he expects to see this result in more breaches in the coming months. “There’s no ambiguity about that,” he says. “Threat actors will start looking for data stealer records and looking for other SaaS providers, similar to Snowflake, to log in to and steal data from, and then extort those companies.”