Amazon, Roblox, and Paypal users beware: crooks are after your payment data

Russian-speaking groups are targeting users of Steam, Roblox, Amazon, and PayPal with info-stealing malware, cybersecurity solutions provider Group IB discovered.

Group-IB analysts identified 34 active threat groups on the Telegram messaging service, with approximately 200 active members throughout 2021-2022.

The group uses an info stealer, which collects credentials and payment information stored in browsers before passing it on to the malware operator. The data is then either used to withdraw funds from victims’ accounts or sold on cybercriminal forums.

The observed groups prefer RedLine as their go-to stealer – it’s used by 23 out of 34 gangs. The next most popular choice was Racoon, used by eight groups. Last month, a Ukrainian national was charged for renting the Raccoon Infostealer program to threat actors.

Additionally, three groups use their own customized stealer. And while some gangs opt for only one stealer at a time, others employ two or three simultaneously.

The researchers suggest that between March 1 and December 31, 2021, such stealers managed to compromise 538,000 devices. 2022 turned out to be an even more fruitful year for cybercriminals: in the first seven months, they were able to infect over 890,000 devices in 111 countries.

The most attacked countries were the United States, Brazil, India, Germany, and Indonesia.

Overall, threat actors managed to collect over 27 million sets of passwords, 1.2 billion cookie files, 56 thousand sets of payment records, and data from more than 35 thousand crypto wallets in 2021. In comparison, those values rose to over 50 million sets of passwords, 2.1 billion cookie files, 100 thousand bank cards, and 113 thousand crypto wallets in the first seven months of 2022.

The overall value of the compromised data is estimated at $5.8 million.

Both in 2021 and 2022, cybercriminals were most interested in Amazon and PayPal credentials. Yet, over the year, the interest in passwords for gaming services (Steam, EpicGames, Roblox) in the logs has increased almost five-fold.

“The popularity of schemes involving stealers can be explained by the low entry barrier. Beginners do not need to have advanced technical knowledge as the process is fully automated and the worker’s only task is to create a file with a stealer in the Telegram bot and drive traffic to it. For victims whose computers become infected with a stealer, however, the consequences can be disastrous,” said Group-IB’s Digital Risk Protection team.

To mitigate those threats, users are recommended to regularly clear cookies, avoid downloading software from suspicious sites, and refrain from saving passwords in browsers.