Infostealer logs contain stolen data that cybercriminals trade and use to launch wide-ranging attacks. Behind the scenes, infostealers power a vast underground criminal economy that threatens businesses of all sizes.
What’s inside a stealer log? A glimpse into stolen data
Infostealer logs are records generated by malware known as infostealers.
An infostealer, or information stealer, is malware that infiltrates computers or devices to steal data. For example, login credentials, session cookies, browser history, bank or credit card details, or other personally identifiable information (PII).
Infostealer logs contain the data stolen from an infected device. They can be small but filled with high-value information that leaves the victim and their organisation vulnerable to attack.
How much are infostealer logs worth?
Cybercriminals buy and sell infostealer logs on the dark web.
Prices depend on market demand and the sensitivity of the data. Login credentials for a basic service might cost a few dollars. Access to a major corporate network or financial platform can command hundreds or thousands of dollars per record.
Who buys infostealer logs? Ransomware groups and brokers
The main buyers of infostealer logs are ransomware groups and initial access brokers (IABs).
IABs are middlemen who buy stolen credentials and sell them as gateways into corporate networks. Ransomware operators use the credentials to deploy their attacks, encrypt systems, and extort ransom payments from their victims.
One stolen password can unlock an entire network. This is why it’s vital to secure your organisation’s data against theft.
Where are infostealer logs traded? Inside the dark web economy
The trading is done on dark web marketplaces and underground forums, where buyers and sellers remain anonymous. Transactions are made in cryptocurrency, making them challenging for law enforcement to trace or intercept.
Criminal forums such as Genesis Market and Russian Market resemble legitimate e-commerce sites. They offer user-friendly features such as ratings and customer support.
Law enforcement agencies periodically crack down on these markets, but they never disappear. For example, Genesis Market was shut down in 2023 but was back online a few weeks later.
The danger: Infostealer logs as gateway tools for attacks
Infostealer logs are the starting point for attacks such as ransomware infections and business email compromise (BEC) scams. Attackers use stolen credentials to bypass security controls and break into corporate accounts and networks.
A single compromised account can lead to a data breach that costs the victim millions of dollars and causes severe reputational damage.
Strengthening your defences and mitigating the risk
According to Secureworks, the volume of credentials stolen using infostealers and for sale on the dark web grew by 150% between June 2022 and February 2023. Protecting your organisation against the infostealer threat is vital.
Key measures you can take include:
- Conduct regular security awareness training: Ensure everyone is aware of the danger and knows how to spot and report potential phishing messages.
- Control access to information: Apply the principle of least privilege so that people can only access the systems and data they really need for their roles.
- Use multi-factor authentication (MFA) on all your user accounts: This provides an extra layer of protection for your systems and data.
- Use a Cyber threat intelligence (CTI) and credential monitoring solution: CTI solutions such as Cybercheck help you to stay safe by continuously monitoring for exposed credentials and personal data, providing early warning to stop attacks before they breach your defences. If cybercriminals are trading information about you or your organisation, we immediately alert you. That means you can change passwords, block cards, and act to shut out the attackers before they make you their next victim.
