Binary code
  • Insight
  • 3 min read

Threat Insights

Cookie Stealing Malware

Information Stealers, commonly known as “cookie stealers”, are a type of malware designed to extract internet information such as cookies, session tokens and credentials from a victim’s device. Stolen session cookies can be used to hijack authenticated sessions, granting threat actors unauthorized access to systems and networks.

Cookie stealing has been a recognized threat since the early days of web security. Initially, it was often conducted through simple cross-site scripting (XSS) attacks. Over time, attackers have developed more sophisticated methods, leveraging malware and advanced phishing techniques to achieve their objectives.

In recent years, the distribution and sophistication of cookie stealers have evolved significantly. Modern cookie stealers are often distributed through phishing emails, malicious websites, and compromised software downloads. Attackers may use social engineering tactics to trick users into clicking on malicious links or opening infected attachments. Additionally, some malware variants are delivered via drive-by downloads, where simply visiting a compromised website can trick the viewer to download malware.

The evolution of cookie stealers has seen the incorporation of advanced evasion techniques to bypass traditional security measures. For example, some malware now uses encrypted communication channels to exfiltrate stolen data, making detection more challenging. Additionally, the use of malware-as-a-service (MaaS) platforms has lowered the barrier to entry for cybercriminals, enabling even less technically skilled attackers to deploy sophisticated cookie stealers.

Recommendation: Protecting Cookies is Protecting Identities

Recommendation: Protecting Cookies is Protecting IdentitiesTo mitigate the risk posed by information credential stealers, organizations should implement strong endpoint protection with advanced endpoint detection and response (EDR) solutions, enforce multi-factor authentication (MFA) across all critical systems.

Allowing personal devices that are not enrolled in EDR to access networks is a risk that should be avoided, as such devices may be compromised by cookie stealing malware that can extract credentials and session cookies.

Continuous monitoring for anomalous activity, securing browser configurations by encouraging and regularly clearing cookies and cache, and regularly reviewing and updating security policies are also critical steps to reduce the risk of unauthorized access and protect sensitive data.