November 24, 2022

According to Group IB, at least 34 distinct Russian-speaking cybercrime groups targeting Amazon, PayPal, and Steam with info-stealing malware under the stealer-as-a-service model like Raccoon and Redline have collectively stolen 50,350,000 account passwords.

They also stole bank account details, cryptocurrency wallet data, and other sensitive information from victims from over 896,000 individual infections in 111 countries, with the United States, Brazil, India, Germany, and Indonesia being the most commonly targeted.

On underground forums, the stolen passwords and compromised card details are estimated to be worth around $5.8 million. Malware-as-a-service allows low-level criminals to gain access to malware, which they then use to infect victims. These attackers either pay a fee upfront for using the malware or pay the author a percentage of the profits from their attacks.

Group-IB Digital Risk Protection analysts discovered how some “workers” (low-rank online scammers) began shifting to a more dangerous criminal scheme that involves distributing info stealers by tracking the evolution of the popular scam scheme Classiscam. Furthermore, the illicit business of thieves, which is coordinated through Telegram groups, employs the same operational model as Classiscam.

Following a successful attack, the scammers either profit from the stolen data or sell it in the cybercriminal underground. RedLine is the most popular stealer among the groups studied by Group-IB, being used by 23 of the 34 gangs.

Racoon comes in second with 8 groups using this tool. Custom thieves are used in three communities. Administrators typically provide employees with both RedLine and Racoon in exchange for a portion of the stolen data or money. The malware in question, on the other hand, is available for rent on the dark web for $150-200 per month. Some groups use three stealers at the same time, while others only have one stealer.

The sources for this piece include an article in TheHackerNews.