Security researchers at Group-IB have discovered a password-theft campaign perpetrated by Russian-speaking threat groups. The campaign leverages off-the-shelf information stealing malware and has serious consequences for its victims. Group-IB analyzed 34 different Telegram groups that are controlled by the threat actors to organize their efforts. So far, the campaign has infected over 890,000 user devices and stolen roughly 50 million passwords, Group-IB says. The groups behind the attacks may have as many as 200 active members who are well-organized and participate in automated scam-as-a-service campaigns targeting marketplaces.
Group-IB explained that in these types of campaigns, administrators or higher ranking individuals give work to lower rank workers in exchange for a piece of the profits. The workers are tasked with driving traffic to scam websites that masquerade as well-known companies such as tech giants. The threat actors embed links to the information stealing malware in the comments section on Youtube, mining software, NFT files, lucky draws, and lotteries on social media. The information stealing malware collects victim data and forwards it to the individuals behind the malware campaign. Often, this includes credentials to crypto wallets, bank card details, email services, social media accounts, and gaming accounts.