Malware 101: Stealing information as an objective

As the previous article in this series explained, almost all malware has objectives because it is created and used by attackers who have their own motivations and goals. This is the first of five articles that will cover the various objectives for malware as mapped to common type names used in the cybersecurity industry.

Spyware

Spyware — as the name implies — aims to monitor a user without their knowledge and/or steal their information. The methods used vary based on the specific goals of the attacker and can range from a one-time data grab to long-term persistence. Likewise, the sophistication of the malware and techniques used can vary greatly depending on the resources available to the attacker, their level of skill, and the nature of the campaign (more advanced, targeted attacks versus "spray and pray" methods).

Infostealers

Infostealers steal information from a victim device and are a bit of a catchall term for a few different types of malware. Password stealers specifically go after login credentials and passwords stored on the device — passwords saved by web browsers, Wi-Fi passwords, and other passwords and/or password hashes that might be saved. These are often sold in bulk as combo lists (lists that aggregate a large number of username/email and password combinations), or they may be used by the attacker against the network(s) the device connects to. The nature of the credentials and the access they provide varies greatly and plays a key role in how they are sold or used. Given the rampant problem of password reuse, stolen credentials can sometimes provide access to far more than they were intended to.

Bankers

Bankers seek to steal banking and financial information. This could include credentials used to access online banking platforms, cryptocurrency wallets (although when this is the only target of a malware it instead is considered a cryptojacker), and potentially other financial-related information. Regardless of the specific tactics used by the malware, the goal of bankers is money. Money may be stolen directly by an attacker or brought in through identity theft based on information gained by the malware.

Keyloggers

Keyloggers, as the name suggests, monitor keystrokes and log them to a file that is periodically transmitted to an attacker. This can result in the theft of any personal information and/or credentials that  are typed by a user, and it circumvents any encryption used to protect stored credentials, such as with password managers and browsers. While the data gathered can be out of context, such as what site credentials provide access to if one is not explicitly typed into a browser prior to entering credentials, it does bypass some levels of security offered by software that saves passwords (whether browsers or password managers). Further, keyloggers can be combined with periodic screen captures to add context. However, the periodic transmission of data over a long period of time also can make keyloggers easy to spot and disable if traffic monitoring is in place.

The market for stolen data

Sensitive data and credentials are most often sold on dark marketplaces and, depending on the data, can fetch anywhere from a couple dollars for social media credentials to a thousand or more for full identity theft packages or network administrator login credentials. While malware isn't the only source of such data, it is very common, and information stealing capabilities are often added to malware with other objectives such as bots or ransomware given how large the market for such data is. Spyware can also go after more niche data such as communications to potentially extort or embarrass an organization or proprietary technology information for corporate espionage.

Given how much data exists and what can be achieved with the right data, the various types of spyware can lead to devastating consequences. Network and data breaches, stolen money, and identity theft can all seriously impact both organizations and individuals. Combined with social engineering attacks, almost any information stolen (or sometimes even found on public websites such as social media) can be leveraged by attackers to do harm.

You can read the rest of the Malware 101 series here.