Dozens of Russian Groups Steal 50 Million User Passwords

Written by

Security researchers have warned of a password-theft epidemic after revealing that Russian groups are using off-the-shelf info-stealing malware to devastating effect.

Group-IB said its analysis revealed 34 Telegram groups used by threat actors to organize their efforts, and that they’d infected over 890,000 user devices and stolen over 50 million passwords in the first seven months of 2022 alone.

The security vendor said each of these groups has as many as 200 active members. Many are well organized, and are used to participate in automated scam-as-a-service campaigns targeting marketplaces known as “Classiscam.”

In these campaigns, administrators give work to lower rank “workers” in exchange for a cut of the profits. These workers in turn drive traffic to scam websites masquerading as well-known companies and try to trick victims into downloading malicious files.

They do so by embedding links for downloading info-stealers into video reviews of popular games on YouTube, through mining software or NFT files on specialized forums, as well as lucky draws and lotteries on social media, Group-IB said.

As the name suggests, info-stealing malware collects data stored in browsers and sends it to the malware operator. This could include credentials to gaming accounts, email services and social media, as well as bank card details and crypto-wallet information.

The threat actors observed by Group-IB often used two or three distinct malware variants at the same time. The most popular were RedLine, used by 23 out of 34 gangs, and Racoon, used by eight. These can apparently be rented from the dark web for as little as $150-200 per month.

So far in 2022, PayPal (16%) and Amazon (13%) passwords account for the biggest share of malicious activity, although attacks targeting gaming services like Steam, EpicGames and Roblox have increased almost five-fold, Group-IB said.

The number of stolen passwords increased by 80% from the periods March–December 2021 to January–July 2022. However, the groups also go after cookie files (up 74%), crypto wallets (216%) and payment cards (81%).

The value of stolen data to date is nearly $6m, Group-IB estimated.

“The influx of a huge number of workers into the popular scam Classiscam led to criminals competing for resources and looking for new ways to make profits,” read a statement from Group-IB’s Digital Risk Protection team.

“The popularity of schemes involving stealers can be explained by the low entry barrier. Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it. For victims whose computers become infected with a stealer, however, the consequences can be disastrous.”

What’s hot on Infosecurity Magazine?