Botnets & Info-Stealers (Part Ⅲ)

Part 3 of a 3 Part Series in Collaboration with Cyrus: Botnets & Info-Stealers

The following post, a first of a three part series, is presented in collaboration with Cyrus.

Everything that has a beginning has an end

In this last part of a three part series, our teams summarize the major takeaways from our joint research and provide you with some actionable recommendations.

Interestingly the Cyrus team managed to discover a recent and unique interview with a Russian info-stealer ex-cybercrime gang leader. Prior to the gang’s arrest, his team was in charge of targeting end-users and stealing their YouTube channels using info-stealer campaigns. We translated the whole interview and will share the main insights with you.

It’s all about the timing

Once data is acquired by Hudson Rock, it takes minutes for it to be parsed and integrated into its cybercrime database, which Cyrus has direct access to.

it is important to note that Hudson Rock receives the data at the exact same time that threat actors obtain it to perform data breaches and account takeovers so while it normally takes 2-3 days between the time a computer gets compromised to when it’s indexed, this is just due to the time it takes the threat actor to begin selling the data.

Why is this important for you? Cybercriminals work with tons of data and it takes time to sort and monetize the compromised credentials. It is much easier for us to protect you once we have the data than it is for them to attack.

Even if the detection happened only 2-3 days later – there is still a priceless time window to act and secure your device.

The difference in time from the induction until the indexing

4 tips on how to practice proper cyber-hygiene

  • Inspect incoming emails:

    Before clicking on the link or opening a file always evaluate the potential risk. We learned that “too good to be true” offers may end with malicious content.

    If you received an email with an immediate and “pressing” call to action – double-check the sender’s email address. None of any official companies or services will email you from or addresses.

    Info-stealers are typically sent through attachments you need to download so be wary of downloading and executing files you weren’t expecting.

    However, if you still have a gut feeling that something is wrong with the email content, don’t do anything even if it was received from a person that you know (simply because his/her account was potentially hacked and now serves for spam/scam delivery)
  • Download software from trusted sources:

    Don’t rely on any unofficial source. Always obtain legal software from the vendor’s official website or trusted application stores like AppStore or Google Play.

    Sources that offer you a 95% discount that is valid only for the next 10 minutes is a red flag for you.

    Our teams strongly recommend against using sites and forums that are known for sharing pirated content that is downloadable using torrents. Hudson Rock’s practice shows that the chance to download a file from the torrent network that is merged with an info-stealer is extremely high.
  • Activate and enforce 2FA on every possible service:

    Adding an additional layer of authentication will significantly increase your personal security level. This step will take you only a few extra seconds, but will turn into an extremely major fence to threat actors.

    Cyrus’ research team analyzed several underground sources and got a clear picture that the majority of hackers will drop trying to hack into an account that has an additional level of authentication.

    Our tip is always to stick to reputable authentication apps like “Google Authenticator” rather than using SMS messages.
  • Monitor your digital exposure:

    Let the rest of the work do the professionals. Download Cyrus and activate all pro-active monitoring features that include unmatched visibility to Hudson Rock’s over 5 million compromised devices. Aren’t you curious to know if you are there?

Are you a YouTube channel owner? Read this

By now, Cyrus and Hudson Rock shared with you our own expertise in the info-stealers world. However, now we invite you to a glimpse into an interview between two ex-cybercriminals that discussed how the info-stealer attacks are used to take-over YouTube accounts.

Ex-cybercriminal convicted for info-stealer distribution and taking over YouTube channels

“It’s always much easy to exploit the end-user and trick them instead of trying to hack the company itself like Google” – citation of a cybercrime gang leader that managed a team focused on malware distribution.

The fact that there is an organized gang with leaders, shift managers, regular “employees”, financial specialists, and malicious software developers is like a final stamp that shows you how big the info-stealer threat is.

The gang was sending hundreds of emails to YouTube channel owners with invites to an unbelievable “partnership” opportunity. In more special cases, the dedicated shady analysts’ team was preparing a tailored offer based on an analysis of previous YouTube channel owner partnerships.

In most cases, the offers were baked with fake documents that will increase users’ trust. The common attack vector was to offer an anti-virus software that will make the channel owner “safer”, but in fact, the installation file was merged with info-stealer and done absolutely the opposite of protecting.

Ex-cybercriminal shares a screenshot of an info-stealer being used for attacks

According to the ex-cybercriminal, in western countries, it’s common that the influencer channels are managed by a dedicated social media manager. Typically, those managers are responsible for up to 10 YouTube channels. When this cybercrime gang had a “lucky day”, they managed to hack one manager and through him/her get access to all the channels under his/her responsibility.

Info-stealer a Mac computers

Nothing is 100% perfect. Info-stealers are made to target as many audiences as they can and Microsoft Windows is still the most popular operating system in the world. Thus, they were designed to attack Windows devices and not Mac computers.

However, if the gang member recognizes that the potential victim uses a Mac device and it is worth compromising his/her credentials –  the victim will be tricked into executing the infected file on a Windows device while logged in to all targeted accounts.

The credentials life after infection

Typically the hacked YouTube channel can be resold on the black market for 500$. The gang member (in the cybercrime jargon – the worker) who managed to successfully trick and infect the end-user may get between 30%-40% of the black market’s price as a profit.

The “new” owner of the channel will try to monetize it as fast as possible. Ex-cybercriminal shared that it’s usually done with the following techniques:

  • Starting live streams with crypto scams. Send “us” 1 bitcoin, and tomorrow will give you 2. Different people still continue to fall into this trap even in the middle of 2022.
  • Adding casino ads, links to attract traffic to third-party sources.
  • Cashing out YouTube AdSense (money from ads) profits by unfreezing them using an intentional channel block. This is done by uploading porn content to the channel that will trigger channel lock and unfreeze AdSense balance.

Hudson Rock’s company domain search tool indicates that there over tens of thousands of compromised youtube credentials originating from computers infected with info-stealers, you can check any domain for free:

Final words

Our teams believe that this joint research opened your eyes to this threat and now you have information on how to protect yourself against info-stealer attacks.

Download the Cyrus application and get comprehensive personal cybersecurity & identity protection for your email accounts, financial assets, and personal devices.

Don’t Stop Here

More To Explore

favicon__1_ removebg-png


Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png


Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise