{"id":13861,"date":"2019-08-07T11:45:20","date_gmt":"2019-08-07T15:45:20","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=13861"},"modified":"2020-03-26T18:22:37","modified_gmt":"2020-03-26T14:22:37","slug":"browser-data-theft","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/browser-data-theft\/13861\/","title":{"rendered":"How malware steals autofill data from browsers"},"content":{"rendered":"

Most browsers kindly offer to save your data: account credentials, bank card details for online stores, billing address, name, and passport number for travel sites, and so on. It\u2019s convenient and saves having to fill out the same forms all over again or worry about forgotten passwords. However, there is a catch: All of this autofill data can be scooped up by cybercriminals if your computer gets infected by a stealer<\/a> \u2014 a piece of malware that steals information, including from browsers.<\/p>\n

Such programs are becoming increasingly popular with online scammers: In the first half of this year alone, Kaspersky\u2019s security products detected more than 940,000 stealer attacks<\/a>. That is a one-third increase from the same period of 2018.<\/p>\n

Strictly speaking, stealers are interested in more than just browsers\u2019 autofill data \u2014 they are also looking for cryptocurrency wallets and gaming data, and they steal files from the desktop as well (we hope you don\u2019t store valuable information there, such as password lists).<\/p>\n

However, browsers have become a hub of work and play, including shopping, banking and more, and are often a source of far more confidential information than other programs. Let\u2019s take a look at how stealers get their thieving hands on browser data.<\/p>\n

How browsers store your autofill data<\/h2>\n

Browser developers seek to protect the information entrusted to them. To do so, they encrypt it, and decryption is possible only on the same device and from the same account that saved it. So if someone simply steals a file with autofill data, they won\u2019t be able to use it \u2014 everything in it is securely encrypted.<\/p>\n

But, there\u2019s a but. By default, browser developers assume that your device and account are well protected, meaning that any program running from your account on your computer is acting on your behalf and therefore should be able to extract and decrypt saved data. Unfortunately, this also applies to malware that has penetrated the device and is running under your account.<\/p>\n

The only browser that offers extra protection for stored data against third parties is Firefox, which allows you to create a master password that you have to enter when you need the data to be decrypted and used for autofill. However, this option is disabled by default.<\/p>\n

How malware steals data from Chrome<\/h3>\n

Google Chrome and other browsers based on the Chromium engine (such as Opera and Yandex.Browser) always store user data in the same place, so stealers have no problem finding it. In theory at least, this data is stored in encrypted form. However, if the malware has already penetrated the system, then its actions are done in your name.<\/p>\n

Therefore, the malware simply puts in a polite request to the browser\u2019s data encryption tool to decrypt information stored on your computer. With requests seemingly from the user considered safe by default, in response the stealer gets all your passwords and credit card details.<\/p>\n\n

How malware steals data from Firefox<\/h3>\n

Firefox operates a bit differently. To hide password databases and more from strangers, the browser creates a profile with a random name, so the malware cannot know in advance where to look for it. However, the name of the file with the saved data does not change, so there is nothing to prevent the stealer from sifting through all profiles (the folders containing them are stored in one place) and identify the desired file.<\/p>\n

After that, the malware again asks the relevant browser module to decrypt the files, and it succeeds, because it is supposedly acting on your behalf.<\/p>\n

How malware steals data from Internet Explorer and Edge<\/h3>\n

Native Windows browsers use special storage for your data. The precise method and type of storage depend on the version of the application, but regardless, the reliability leaves much to be desired. Here, too, the malware can easily retrieve your passwords and credit card details by requesting it from storage, seemingly on your behalf.<\/p>\n

The problem is that the malware\u2019s request for the decryption of browser data appears to come from the user, so the browser has no reason to say no.<\/p>\n

What happens to data stolen by the stealer?<\/h2>\n

Once the malware has the autofill data in plain text, it sends them back to cybercriminals. From there, either of two scenarios may unfold. The malware\u2019s handlers can use it themselves or, more likely, sell it to other malefactors on the black market, where such products are always highly prized.<\/p>\n

Either way, if usernames and passwords were among the stored information, the crooks will likely steal a couple of your accounts and try to finagle money out of your friends. If you saved bank card data in the browser, the losses could be more direct; your money will either be spent or transferred elsewhere.<\/p>\n

Stolen accounts can be used for many other purposes too, from spamming and promotion of websites or apps, to sending viruses and laundering money stolen from others (and if the police get involved, they may come knocking on your door).<\/p>\n

How to protect data from stealers<\/h2>\n

As you can see, if malware penetrates your computer, data stored in the browser is at risk, and with it your finances and reputation. To avoid such a situation:<\/p>\n