Last year, a breach of cloud storage company Snowflake resulted in data stolen from more than 150 companies, with more than $2 million extorted from victims. The attack was carried out by an infostealer, a type of malware that didn’t directly infiltrate Snowflake but instead entered through a client with weak security measures. The growing market for financial data stolen by hackers has made these attacks an escalating threat to financial institutions worldwide.

In a PaymentsJournal podcast, Mike Kosak, Senior Principal Intelligence Analyst at LastPass, and Jennifer Pitt, Senior Analyst in Fraud and Security at Javelin Strategy & Research, looked at the threat that infostealers currently pose to banks. They discussed how infostealers present risks even to third-party vendors, and how organizations can stay one step ahead in protecting their sensitive information.

Infostealers are a specific type of malware that collects critical information from victims’ computer systems. They primarily target browser-based data, such as credentials, session tokens, and details about software that can be extracted from the operating system and sold to malicious brokers.

Infostealers are generally small, lightweight programs built for speed. They’re designed to execute quickly and then delete themselves. This rapid execution is a key reason why infostealers are so difficult to detect. In 54% of the cases that security service Spycloud examined, the victim had an active antivirus program running on their system.

Infostealers are typically sold by initial access brokers, a subset of the cybercriminal ecosystem focused on gaining entry to systems. This initial access allows other, more specialized groups to take action using the stolen information, including ransomware operations and nation-state threat actors. These brokers are agnostic to the buyer, willing to sell the data to anyone.

Infostealers often target financial institutions, not just because they hold the money, but because they can scrape passwords from customers’ browsers, which frequently include login credentials for financial institutions. This tactic is a way to circumvent many of the fraud and account takeover prevention measures that FIs have in place.

Customers at financial institutions often reuse passwords across multiple accounts, including those at different banks. Many of these financial accounts are linked to other services like email or social media, with the same passwords being used. These reused credentials are especially valuable to infostealers.

These kinds of attacks are not limited to customers; employees have also fallen victim. If multi-factor authentication is not enforced for employees, they often use weak, short passwords or reuse them across multiple systems. Some employees continue to access personal accounts or use personal devices at work.

In recent months, major browsers have implemented strong mitigations, but larger infostealers have been quick to figure out workarounds.

“They’re constantly evolving,” said Kosak.  “It’s a very effective marketplace and a very effective tool. It’s cost effective and it works. That keeps bringing on more of these threat actors, both people who are trying to make money on the initial access broker sites and the developers themselves.”

Infostealers are also targeting session tokens, which can be used to circumvent credentials if the right protections aren’t in place. If criminals get the data fresh enough, most of it ends up available for sale within a day of the of the time that it’s stolen.

The risks to financial institutions from infostealers are broader than they might initially appear. While the primary threat is theft, there is also fraud loss, operational risk, and reputational risk. Once a financial institution starts losing a significant amount of money from this, if it lacks proper protections in place with the media, the reputational risk can be massive.

FIs should also consider their business-to-business connections. Infostealers can target supply chains and third-party vendors just as easily as customers or the business itself. Supply chain vulnerabilities can have second- and third-order effects, impacting customers as much as a direct breach of the institution.

When an organization hires cloud service providers or third-party vendors to protect its data, the original institution remains responsible for vetting that third-party processor. It must ensure the vendor has the proper security protocols in place to deter infostealers.

“The Snowflake data breach happened because they hired a third-party company that didn’t require multi-factor authentication,” said Pitt. “Ultimately, the customer is going to hold the initial institution responsible. They’re going to start leaving banks for somebody else that will actually protect their credentials.”

Identity and Access Management (IAM) programs can significantly reduce the risk posed by infostealers. An effective IAM strategy includes strict access controls and continuous monitoring to detect and respond to suspicious activity. When only authorized users can access sensitive data, it becomes much harder for threat actors to exploit stolen credentials.

Multi-factor authentication remains absolutely critical, as is requiring customers to use unique and complex passwords for every account. If passkeys are an option, use them as well.

“That’s an absolutely critical next step when we think about how to mitigate this risk in the longer term,” Kosak said. “Passkeys are going to become more and more important. We’re still very early in the adoption cycle on that, but they’re phishing resistant.”

Another important factor for FIs to be aware of is cracked software. People concerned about infostealers should resist the temptation to download and install free software applications.

“If you see something that looks a little off the books, it’s probably going to come with a nasty surprise,” said Kosak. “They direct people to these YouTube links that deliver malware. Stick to known app stores.”

Behavioral detection, including user behavior analytics and device fingerprinting, is emerging as a strong defense against infostealers. They help detect account takeovers, for instance. If an FI detects any anomalous behavior, they can have processes in place to mitigate these risks and cut off the actions as they’re happening.

All financial institutions have annual training requirements that everyone must complete to understand the threat environment. There’s another aspect that can be a bit harder to implement and articulate—the culture side. The core issue is instilling a culture of polite paranoia.

“You’ve got to be willing to raise questions both up and down the chain if you see something that’s suspicious,” said Kosak. “Being willing as a new junior associate to raise your hand and say, ‘hey, this seems suspicious to me, that’s a cultural aspect to an institution.’ Being willing to be challenged if you’re a senior in that institution and say, ‘hey, I’m glad you’re asking that question.’ That’s really powerful too.”

“These threat actors will use fear and intimidation and psychological pressure to get people to act without having the time or feeling like they have the channels to raise questions,” he said. “Polite paranoia takes that away from them.”