Today’s browsers have an auto-login feature that saves passwords for frequently used online services. While saving passwords in browsers is convenient, it is not a good idea. A new analysis uncovered an info-stealing malware dubbed Redline targeting web browsers like Opera, Chrome, and Edge to harvest login credentials. According to a report from AhnLab ASEC, the Redline malware campaign targets users who enable the auto-login feature on their browsers. The analysts stated that the Redline malware, also called Redline Stealer, compromised a VPN account of a company by targeting a remote employee device that saved passwords in the browser. Threat actors reportedly leveraged the leaked VPN account to hijack the company’s internal network three months later.
“The targeted employee used the password management feature provided by the web browser to save and use the account and password for the VPN site on the web browser. While doing so, the PC was infected with malware targeting account credentials, leaking accounts and passwords of various sites, which also included the VPN account of the company,” the analysts said.
Redline Available on Darknet
Active since 2020, the Redline Stealer first appeared on the Russian darknet forum. The malware is peddling on the dark web for $150-$200, allowing bad actors to leverage it. In addition to the malware, credentials leaked using Redline malware are sold on the dark web.
The main features of Redline malware include:
- Collecting and stealing information saved to browsers like login account and password, cookies, autofill, credit card information
- Collecting default system info such as the IP address of system and OS info
- Collecting hardware information such as the processor of the system, memory size, and GPU
- Collecting information of browsers and software installed in the system
Collecting processes and anti-malware programs installed
- Controlling target system via SOAP protocol communication
- Uploading and downloading files
- Accessing arbitrary URLs and running files
Redline Expose 6M Records
Recently, security expert Bob Diachenko unveiled that Redline Stealer malware exposed more than 6 million records online. It found that the Redline malware campaign is the key source for trading stolen sensitive information on various cybercriminal and dark web forums.
Redline Stealer malware logs with more than 6M records were exposed online, publicly (now taken down). Internationally sourced data, exfiltrated in Sept and Aug 2021. RS is the key source of identity data sold on online criminal forums since its initial release in early 2020. pic.twitter.com/kv9MNL8hAE
— Bob Diachenko (@MayhemDayOne) December 25, 2021
Compromised credentials pose severe security threats to both organizations and users. Recently, the data breach search website Have I Been Pwned? reportedly added 441,657 unique email addresses stolen by RedLine malware operators. Data breach victims use Have I Been Pwned? platform to check whether their email ID or phone number has been compromised in any security breach. The users, who find their email address exposed, are required to update their passwords for all online accounts on the device, including corporate VPNs, email accounts, and other personal accounts.
How to disable auto-login in browsers
- Click on Menu > Settings
- In the Privacy & Security section, uncheck the option “Ask to save logins for passwords and websites”
- Also uncheck the option for Autofill logins and paswords
- Uncheck Allow Windows single sign-on…
- Near Logins & Passwords, click the Saved Logins button
- Delete any login credentials that you see.
If you do not use Firefox as your default browser, you will find similar settings in other browsers. Look in the Privacy & Security section under Settings or Advanced Settings.