Some of the most well-known online threats are malware, phishing, identity theft and other forms of fraud.
There are many types of malware, with ransomware being one of the most damaging, which businesses in particular need to be aware of. But there is also malware that often targets individuals, and one of these is password stealers or password thieves.
What are password stealers?
Password stealers are a type of malware, i.e. malicious software, that people often install on their computers by accident. Once installed, password stealers collect personal information about the person who unintentionally installed the malware. In most cases, they steal information about all your logins, including usernames and passwords, credit card details and other personal information.
They may also be designed to collect information about an infected system (connected users, network activity, installed antivirus, other software, etc.). In addition, some of these malicious programs are able to install additional malware on the computer and/or add the computer to a botnet.
Password stealers are a dangerous type of malware because they can compromise your email and bank accounts. They can steal passwords and other information from programs such as Windows, Internet Explorer, your email and other types of software. Password thieves start automatically every time Windows is loaded.
How do password stealers work?
Essentially, a password thief is similar to a banking Trojan, but instead of intercepting or replacing entered data, it usually steals information already stored on the computer. This could be your passwords and usernames stored in the browser, cookies and other files that happen to be on the hard drive of the infected device.
Hackers can get information from your accounts in many ways. An example of a password stealer is Kpot (Trojan-PSW.Win32.Kpot). It is distributed mainly through spam emails with attachments that exploit vulnerabilities (for example in Microsoft Office) to download the malware to the computer.
Hackers then transfer information about applications installed on the computer to the command-and-control server. Among the possible commands are those to steal cookies, log into different accounts and more. All the stolen information is typically recorded and stored on a file that is automatically sent to the hackers.
Why do hackers use password stealers?
Hackers make money by selling the information they collect to third parties, typically other cyber criminals. Hackers also make money by using the information to steal identities, carry out fraud, steal personal accounts and for other malicious purposes.
The stolen accounts are sometimes also used to trick other users into installing a password thief or other malware, making money transactions, etc. In this way, cyber criminals can infect other people's computers with ransomware, Trojans or other malicious software. If the infected computer is added to a botnet, the computer can be used to participate in Distributed Denial-of-Service (DDoS) attacks, send spam, steal data and more, without the computer owner knowing.
Some examples of password stealers that steal passwords and other sensitive data are Jupyter, FickerStealer, SolarSys and Covid Stealer.
Usually, password thieves run in the background of the computer system and therefore users may not be aware of their presence for a long time.
How are password stealers installed on my IT systems?
Malware is usually distributed via phishing campaigns, unofficial software activation tools ('cracking'), Trojans, dubious file/software download sources and fake software update tools. When cyber criminals attempt to distribute malware via phishing campaigns, they send emails containing malicious attachments or links to fake websites.
Software cracking tools supposedly enable the installation of legitimate software, but they install malware instead.
Trojans are other malware programs that can cause chain infections. Once a Trojan is installed on the operating system, it can install additional malware.
Password stealers and online gaming
More and more password stealers are being created specifically for online gaming accounts. They are often referred to as Steam stealers, as many of them target accounts on the world's most popular gaming service Steam. But there are also many other platforms out there, such as Battle.net, Origin, Uplay and Epic Games Store, for which password stealers are being created.
Often, this kind of password thief is installed through unsafe websites or pirated software. Hackers are well aware of people's craving for free games, and hackers exploit it through malware hidden in cracks, cheats and mods.
How to protect yourself from password thieves
The best way to protect yourself from password thieves is to have strong security on all your accounts:
- Protect your accounts with two-factor authentication. If your accounts are protected by two-factor or multi-factor authentication, cybercriminals need more than one username and password to get into an account.
- Use reliable antivirus software and regularly scan your devices for malware. If you experience problems with your computer, such as reduced computing power, always scan immediately.
- Double-check all your emails.
- Don't visit suspicious websites and never download suspicious apps.
- Never click on pop-up ads or banners.
How to remove a password stealer
If a password stealer has been installed on your device, remove/uninstall it as soon as possible.
You can do this by:
Manually deleting the file:
- Press "Ctrl" + "Alt" + "Delete" keys at the same time to open Windows Task Manager.
- Click on the "Processes" tab.
- Find the process "lpr123.exe" in the list of running processes.
- Click once on "lpr123.exe" to highlight it, and then click "End Process" to stop it from running.
Clear registry values:
- Click the "Start" menu to open, then click "Run".
- Type "regedit" in the "Run" field that is opened.
- Select "HKEY_LOCAL_MACHINE" in the left pane.
- Search for the registry value starting with: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\lpr.
- Right-click on it and delete it.
Delete the file:
- Click the "Start" menu to open it, and click "Search".
- Type "lpr123.exe" in the search box to find the file.
- Record the location of the file.
- Click the "Start" menu, then "This Computer" and then the "C:" drive.
- Find the file and delete it.
It is important that you do not restart your computer until you stop the process from running, remove the registry values and delete the files. Otherwise, the virus may replicate itself when you restart.
Use a password manager
To avoid password stealers and other kinds of malware, it is important to protect your accounts as much as possible. In addition to the ways mentioned to protect against password stealers, it's a good idea to use a password manager on your computer, smartphone and tablet.
Having a strong password that is unique to each account is one of the most basic security measures in cybersecurity. But it's pretty much impossible for most people to remember all their passwords when they're all long and complex. That's where password managers come in.
With a password manager, you can be sure that you're only using secure passwords and that you're not risking password reuse.
A password manager generates very strong passwords for all your accounts, and the password manager stores all your passwords so you don't have to remember the passwords. The only password you need to remember is your master password. This is the password you need to log in to your password manager.
Using a password manager makes it very difficult for hackers to crack passwords, as each password is a strong password that is both long and contains upper and lower case letters, special characters and symbols. The code is also very different from any other password, so a hacker can't guess your passwords by trying possible combinations of your other passwords in multiple places.
Good advice to always remember
- Remember to change passwords if your accounts have been hacked.
- Remember to add extra security to all your accounts and services, including social media and accounts that seem less important. If one of your accounts has been hacked, it is easier for hackers to access more of your accounts.
- If you're in charge of cybersecurity at your company, make sure all employees use password managers and other extra layers of security.
About the author
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.