The relationship between our web services passwords and us has gone through three phases: that of using memory, generic solutions (such as writing them down on a piece of paper or in a note on the computer itself) or directly using – horror music – a universal password for all. Then came the password managers to facilitate the use of different keys on each website. Finally, browsers ended up integrating their own password manager and the simplicity was even greater, in addition to giving us some extra confidence: in addition to using a manager, we do it from the browser itself.
One of the last malware that have been released allows attacks to be carried out targeting specific users and extracting their login credentials saved exactly there, in the password manager integrated into browsers. Called RedLine Stealer, steals this information in Chromium-based browsers. That is, Chrome, Edge and Opera, which together comprise almost 80% of desktop users, although that does not mean that all of them use their integrated manager.
$ 200 and targeted attacks
This malware, according to the alert from ASEC, a cybersecurity company, and the alert given by Genbeta, it can be purchased for around $ 200 on the deep web and maliciously distributed to target specific targets.
According to the company, an employee of a third company who worked remotely used the integrated manager to store passwords without knowing that he had been infected with RedLine Stealer, since not even the antimalware solution that was installed on the corporate computer was able to detect its presence, which normally arrives via email, although it has also been proven that it can arrive camouflaged in any type of software. This employee suffered the theft of those credentials, which led to a hack of his company three months later.
Chromium-based browsers save the login data in a SQL database, which is the target of this malware, as well as other information in the form of cookies, autocomplete information, data from our credit cards also saved in the browser to streamline payments, etc.
The browser’s SQL file that stores the credentials is the target of this malware
The password management tool is active by default, and it is one thing not to use it, and another to disable it completely. In the first case, when you choose not to remember the passwords for that particular website, the database records that you have logged in there, but without storing the username and password. This information alone is also useful for the attacker, who knows that this user accesses that web page with their own user profile, and can lead to other types of attacks.
The file in question, in addition to storing these credentials, also records additional information, such as the date on which the session was first logged in or the number of times it was logged in. Use a dedicated password manager, like LastPass The 1Password, with the information encrypted by a master password, you should a priori increase security, although They don’t get rid of the odd scare either.