1. The infection

The first step in the attack is not yet part of the active attack. Distributors of infostealer malware attempt to infect as many devices as possible with infostealer malware. This malware, which steals login data and session cookies on a large scale, is often concealed in illegal downloads or phishing emails. The goal of these attackers? Simple: infect as many devices as possible to profit from them. How: see step 2.

When infecting devices, professional devices are naturally the most valuable. However, personal devices can also be useful, especially if some business activity occurs on them anyway. After all, how common is it for people to use their personal device to log into their business systems? The attack at Uber, for example, began with a contractor's personal device becoming infected with malware.

2. The sale

Infostealer malware distributors rarely go on the attack themselves. Their business model is to infect as many devices as possible and then monetize them successfully. That is exactly what happened in the example of Uber and EA Games.

These transactions take place in closed marketplaces that not just anyone can access. Here, control of the device or specific sessions is offered for sale for prices ranging from ten dollars to a thousand dollars, and very rarely, as much as ten thousand dollars. For example, in the case of EA Games, it was revealed that the still active Slack account's session was sold for $10.

Once, twice, sold! Control of the account and/or device is now transferred to another attacker. This attacker, unlike the malware distributor, does have the objective of exploiting the data for an attack.

3. The disguise

Infostealer malware effectively provides hackers with a disguise that enables them to infiltrate organizations through the front door. This is because the still-active session permits the attacker to log into the organization's internal systems as if they were the employee.

At Uber, the session was apparently no longer valid or not present, and the attacker had to make do with just a username and password. The attacker used this data for an MFA Fatigue attack, incorporating an element of deception: the victim received a text message, with the attacker pretending to be Uber IT: "We see a lot of login attempts in our systems. To make them stop, you have to accept one of those requests for a moment." This gave the attacker access to Google Workspace and Slack, among others.

However, at EA Games, there was an active session, allowing the attacker to log directly into Slack as if they were the employee. An ideal disguise, as it turned out. From that capacity, the hacker contacted EA IT Support: "I lost my phone at a party last night." A new MFA token was created for EA's internal network, allowing the attacker to continue on their attack.

4. And continue…

Once inside an organization's internal systems, an attacker can proceed. At EA Games, approximately 750 GB of files were stolen, including the source code of several games. At Uber, the damage is estimated to be at least $3 million, according to the prosecution. Exactly what an attacker aims to do - whether it's installing ransomware or spyware, or altering files - varies from one attacker to another. The fact remains that they are involved in the attack at this stage, leaving organizations vulnerable.

The conclusion is clear: infostealers pose a sophisticated threat. They have already significantly impacted several large organizations in the Netherlands as well. Interested in learning more about how we detect these attacks at an early stage? Read more here.