Infostealers Replace Phishing as Attackers Target Saved Logins

Cybercriminals are shifting from fake login pages to infostealers that quietly collect saved passwords, session cookies, autofill entries and other browser data from infected devices. The malware is commonly delivered through malicious online ads, pirated or cracked software, fake browser updates, game cheats and dubious download sites.

Infostealers extract credentials, session tokens, cryptocurrency wallet details and local files directly from a user’s machine. Because they can harvest session cookies and tokens, attackers can sometimes access accounts without the account holder’s password or multi-factor authentication code.

The malware-as-a-service market has lowered the technical barrier for these operations. Underground vendors sell ready-made stealer kits, loaders and initial access services. Operators package stolen data for sale to buyers who specialize in fraud, account takeover, business email compromise or gaining initial access for ransomware. A single compromised device can yield multiple sales: one buyer may purchase logins, another session cookies, and another corporate access or wallet data.

Distribution often differs from classic phishing emails. Security researchers commonly trace infections to malvertising, downloads of pirated software, fake updates, compromised browser extensions and one-click downloads from file-hosting sites. A social engineering technique called ClickFix also appears in multiple incident reports; it convinces users to run commands or scripts that install malware, effectively turning the victim into the installer.

Operators update stealer code and rotate infrastructure and lures, and many campaigns rely on affiliate networks for distribution. Stolen browser data and session cookies are sold to downstream buyers, which creates continued demand for these tools and services on criminal marketplaces.

A former Microsoft MVP in consumer security advised several precautions: avoid clicking sponsored ads, download software only from official vendor sites or trusted app stores, do not install pirated programs or game cheats, and review browser extension permissions before installing. The expert also recommended not copying and executing commands from web pages or messages without verifying the source.

Security researchers recommend treating unsolicited links and pop-ups with caution, verifying requests by visiting a company’s official website or contacting support through known channels, and scanning devices with up-to-date security software after suspect downloads. These measures aim to reduce the chances that infostealers will reach and extract data from users’ devices.