Cybercriminals have been after personal data for years, but new technology is giving them a dangerous boost. Infostealers—malware that extracts sensitive data like passwords and credit card numbers—are becoming one of today’s biggest online threats because they are easy to use and hard to spot.

While conversations about online safety often peak during Cybersecurity Awareness Month, the reality is that vigilance is needed year-round. In a recent PaymentsJournal podcast, Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, discussed the damage infostealers can cause, how consumers can protect themselves, and how dark web threat intelligence is helping fight back against bad actors.

Malware has become a damaging force capable of shutting down systems and causing financial havoc—even to large-scale organizations. However, infostealers take this threat to another level, having been responsible for extracting billions of personal credentials.

“What makes it different from malware that we’ve seen in the past like keyloggers is that infostealers are extremely sophisticated, so they’re capturing all kinds of data,” Goldberg said. “When you type in your username and password, they’re capturing the browsing history and the cookies.”

“Some of these infostealers are sophisticated enough to capture screenshots, which is really frightening,” she said. “There are some infostealers out there that are specifically designed to target crypto wallets and digital wallets—all of that data can be captured.”

Their sophistication makes infostealers exceptionally difficult to detect and neutralize. The combination of stealth and power poses a serious challenge to the financial services industry on multiple fronts.

First, financial institutions must find ways to ensure the authenticity of online browsing and mobile banking sessions. Second, the industry must confront the reality that traditional passkeys and tokens are no longer sufficient to defend against modern malware.

“In the same way that password managers have risks, because if the password to the password manager is compromised in a data breach—and we know people use reuse passwords—then the keys to the kingdom are gone,” Goldberg said. “The same holds true in this environment for passkeys and digital wallets and tokens because oftentimes that encrypted data is held behind a site that is password-protected.”

“When we save passwords and browsing history, which most of us do, if that browser history or the cookies are compromised, then there’s no reason for the cybercriminals to decrypt any data, they get access to where that data is housed,” she said. “It’s an extremely concerning problem, and it’s one that I don’t think we’re prepared for as an industry.”

Many of today’s emerging risks stem from the new digital paradigm. While digital payments and modern technologies offer transformational benefits, they have also introduced new vulnerabilities.

“If you have a credit card that is reissued and it’s automatically updated to your digital wallet, if that cybercriminal has already gained access to the password and login credentials that give access to that digital wallet, when the new digital numbers are automatically updated, they have access to it,” Goldberg said.

“We have these digital wallets where our financial institution can reissue a compromised card to us digitally, which means we can start using that card before we get the physical replacement in the mail,” she said. “That convenience is wonderful, but it’s also made it easier for cybercriminals.”

For financial institutions, this can be costly—especially if they must continually reissue EMV chip cards in addition to bearing the broader costs of fraud.

Addressing this challenge is complicated by the limits of consumer education, which has typically been central to fraud prevention. It’s unrealistic to expect the average consumer to stop reusing passwords, regularly clear browsing histories, or log out of every device after each session.

As a result, a new type of solution is needed—one that may require the industry to hearken back to the early days of digital.

“What the solution is going to be, it’s something that we talked about years ago and we never made the leap and that is hardware tokens. These are physical tokens that you carry on your person that you use to log into your device,” Goldberg said. “Whether it’s your mobile device, tablet, or laptop, having that physical token is going to be the only solution.”

“We’re going to almost have to take a step back in time,” she said. “Just like we would use a hard key to open our door, we’re going to have to take a step back, and that’s going to cause challenges for convenience.”

In addition to heightened security on the consumer end, dark web threat intelligence can make a broader impact. This intelligence comes not only from collecting the compromised data found on the dark web, but also data from monitoring threat actor communications in forums and chat channels.

Dark web threat intelligence has become critical because it helps uncover the connections between bad actors, who increasingly operate in organized groups. This kind of attribution is growing more important as technology advances and more sensitive data about online.

The growing repository of digital information must be protected, as bad actors are no longer just a threat to individual consumers or organizations—their actions can create ripple effects that reach the level of national security concerns.

“There are threat actors out there that on the surface may look like they are just targeting consumers for scams, but by looking at the tactics, techniques and procedures, dark web threat intel can tell us that there could be something more nefarious going on,” Goldberg said.

For example, a threat analyst combing the dark web may discover a series of compromised credit cards issued by a single financial institution. They might then notice that the cards belong to account holders clustered in a certain part of the country. From there, the analyst would dig deeper to identify further commonalities among the affected accounts and potential links to broader criminal activity.

“You’re able to say: ‘They all shopped at a certain grocery store or dined in a certain restaurant,’ and you just continue to narrow it down,” Goldberg said. “Perhaps you’re able to find out that all of these individuals were on a particular Facebook Marketplace forum and they were engaging with a certain individual who was selling BBQ equipment.”

“Then, you’re able to say: ‘This particular individual who is associated with the account that’s selling the BBQ equipment also has accounts that use different names, but have the same IP address,’” she said. “From here, we’re able to connect the dots, and ultimately the hope is that through this trail of attribution, you’ll find out who the individual or individuals behind some of these malware rings and groups are and take them down.”

Through these techniques, dark web threat intelligence can be a powerful tool to track infostealers and identify the victims they have affected. As the financial services industry gains deeper insight into these threats and the criminals behind them, it can take a proactive and preventative stance.

However, as these threats grow increasingly pervasive, cybersecurity has evolved into an everyday priority for everyone.

“The most basic thing from a consumer perspective is that we have to reel in our use of social media,” Goldberg said. “Social media is not just a concern for financial institutions and consumers because it’s a prime channel that’s used for spreading malware and targeting consumers for scams, it’s also used for disinformation campaigns. Everybody just needs to be skeptical of what they read and mindful of what they post on social media—that would be first and foremost.”

“Secondly, everyone needs to jump on board with the reality that it’s not going to always be convenient, and a little inconvenience and friction is good,” she said. “Moving toward an environment where we have a physical hard token key that we have to use to log into our device is just going to mean that our devices and accounts are more secure. I think that’s a direction that we’ll all be moving in.”