X

Kaspersky Reports Malware That Can Steal Your Browser’s Autofill Data

    Categories: News

There's a new type of malware on the internet: “Stealers.” They're aimed at swiping the autofill information stashed in your browser window ⁠— you know, the passwords and usernames that some browsers requests you let them remember the next time you want to log in.

Granted, stealers aren't brand new. They're a type of Trojan malware, which has been around since the 90s, when they were aimed at grabbing your AOL password.

Still, Stealers are on the rise. Cybersecurity firm Kaspersky found over 940,000 stealer attacks during the first half of 2019, representing a year-over-year increase of one-third since 2018. Here's what to know about the malware, and how you can protect your autofill data.

How Stealer Malware Can Take Autofill Data

First, the good news – browser developers don't make it easy to steal autofill data. They encrypt it so that it's only accessible from the specific device and account that first entered the data. So how does a stealer get away with it? It needs to be a program running from your device, as this lets it trick the browser into decrypting your autofill data.

The exact details of the process differ depending on which browser we're talking about.

Google's Chromium engine, which powers the Google Chrome and Opera browsers among others, stores all the autofill data in a central location, letting a stealer running on a user's device decrypt it with a simple request aimed at the browser’s data encryption tool.

Firefox creates a randomized profile to hide the data within, forcing a stealer to sort through all the profiles before it can request a data decryption, while Internet Explorer and Edge use a “special storage” process that again only requires a decryption request. Kaspersky has all the details in its recent security blog post.

Why Autofill Data is a Risk

How useful is the data to these bad actors? Well, think about what information you allow your browser to store.

Bank account sign-ins and credit card numbers are examples of data that many people need to regularly enter online, and allowing your browser to autofill that data can be tempting.

And for all the workaholics out there, using your personal computer to sign into sensitive workplace accounts is another big concern.

The data will likely be sold to someone who knows how to use it, either to directly transfer funds from your account or to use your social media accounts to wheedle money from your friends and family.

How to Stay Safe from Stealer Malware

Here are the best practices to keep in mind, including one possible loophole offered by Firefox that might let you stay safe while remaining as lazy as ever.

  • Use a master password with Firefox — Just one major browser, Firefox, offers a loophole that keeps your autofill data safe. Their master password option means you'll need to set one unique password that you'll enter every time you want to use the autofill information within your browser. It's disabled by default, so you'll need to find it and turn it on: Options > Privacy & Security > Use a master password.
  • Stop using autofill when possible — Look, sometimes the simple answer is the best: Just stop using the autofill function. Or at the least, avoid it when signing into particularly sensitive accounts like your bank or credit card service.
  • Regularly prune your autofill databank — If you must use autofill, at least make sure your browser isn't storing any more information than you're using. With any of the major browsers listed above, you'll be able to access your list of autofill information and delete anything you're unlikely to use.
  • Boost your security system — You'll stay safe as long as the stealer can't access your device in the first place. A trusted and up-to-date cybersecurity service should do the job.
  • Replace autofill with a password manager — If you use a dedicated password keeper, you'll avoid the issue entirely. You'll pay a monthly fee, but the peace of mind will likely be worth it. Try visiting our list of the top services in the password manager market for more information.

In the end, the best advice is to take as few shortcuts with your sensitive data as possible. Granted, that's easier said than done, but don't mistake convenience for true security.

Find out more about staying safe online

This post was last modified on Aug 15, 2019 5:09 am