Cybercriminals use cheap and simple infostealers to exfiltrate data

The rise in identity-based attacks can be attributed to a rapid increase in malware, according to SpyCloud.

identity-based attacks rise

Researchers found that 61% of data breaches in 2023, involving over 343 million stolen credentials, were infostealer malware-related. Of these compromised identity records, one in four contained information about the user’s network or physical location, putting the individual’s identity, platforms they have access to, and physical well-being at risk.

Infostealer malware exposes user information

Taking a deeper look into how stolen data empowers bad actors to perpetrate cybercrimes including account takeover, fraud, and ransomware, researchers analyzed the exposures of the average digital identity being traded in the criminal underground and found that the average identity appears in as many as nine breaches and is associated with 15 breach records.

Researchers also found that the average identity had a 1 in 5 chance of already being the victim of an infostealer infection. Infostealer malware enables criminals to collect vast amounts of information about the user and the device, including a user’s session cookies, API keys and webhooks, crypto wallet addresses, and more. This stolen authentication data enables cybercriminals to bypass protections including MFA and even passkeys to hijack their victim’s identity and take over digital sessions.

“Cheap and easy-to-use infostealers combined with the ubiquity of stolen data online can make cyber defense seem like an impossible task,” said Trevor Hilligoss, VP of SpyCloud Labs, SpyCloud’s research team responsible for recapturing data and analyzing patterns from the criminal underground.

“Protecting digital identities and beating cybercriminals at their own game requires a multi-layered approach. It starts with quickly identifying exposed identities and immediately moves to post-infection remediation – invalidating compromised authentication data for all applications exposed by the infection. It’s a sure-fire way to prevent future cyberattacks resulting from the stolen information,” added Hilligoss.

Mobile malware on the rise

Researchers also recaptured nearly 200 different types of personally identifiable information (PII) in 2023, ranging from full names (3.16 billion) and phone numbers (2.14 billion) to dates of birth (920.25 million), social security and national ID numbers (171.61 million) and credit card numbers (36.97 million).

Additionally, mobile malware is becoming an attractive attack vector for criminals. Between August and December 2023, SpyCloud recaptured 10.58 million mobile records exfiltrated by malware. While the goal of mobile malware is often financial fraud, compromised devices can also result in sensitive data compromise, disruption of operations, and reputational damage.

“Cloud applications, mobile devices and online services have become essential to both our personal and professional lives. When you consider the vast amounts of information that we put online and the likelihood of that information ending up in the wrong hands, our digital valuables have evolved beyond traditional credentials,” said Damon Fleury, CPO of SpyCloud. “Threat actors are linking together identity records from hundreds of sources to impersonate their victims, making it extremely difficult for platforms to differentiate between legitimate users and criminals.”

Researchers recaptured nearly 1.38 billion passwords circulating the darknet in 2023, an 81.5% year-over-year increase from 759 million in 2022. Within these passwords, the report finds a 74% password reuse rate for users exposed in two or more breaches in the last year—a 2 point increase from the prior year.

Pop culture continues to drive popular password choices

  • 1.1 million passwords were related to American fantasy football.
  • 1.1 million were related to the Hollywood writers’ strike.
  • 1 million were related to the NBA playoffs.
  • Passwords influenced by artists such as Shakira (508,000), Miley Cyrus (257,000), and Taylor Swift (119,000) were also common.

Researchers found 723 breaches containing .gov emails in 2023, up from 695 in 2022 and 611 in 2021. The recaptured records contained over 281,000 .gov credentials. The most common passwords associated with .gov emails were password, pass1, and 123456.

Password reuse rates for .gov users increased this year, rising to 67% from 61% in 2022.

The most noteworthy data leaks recaptured by SpyCloud last year:

  • WhatsApp: 364 million records leaked
  • Twitter (now X): 203 million records leaked
  • Luxottica: 203 million records leaked
  • UnionPay China: 127 million records leaked

Don't miss