Security Firm Warns Of RedLine Malware Plucking Passwords Saved In Your Browser

hero password security
Do you let your browser store logins for websites like Twitter, Facebook, or HotHardware? Well, you probably shouldn't. Not only does it let anyone who gets on your PC access your personal information, but it also opens you up to easy attacks from "info-stealer" malware.

South Korean cyber-security firm Ahnlab just put out a report warning of exactly such a malware, known as "RedLine Stealer." It's exactly what it sounds like: you get infected by a software that steals personal data, particularly targeting credentials and log-in data. The software was developed in Russia, and it's sold for $150-$200 on cyber-crime forums.

RedLine Stealer actually showed up in the middle of last year, but it's been gaining in popularity rapidly over the last few months because it's easy to deploy and highly effective. As an example, AhnLab presents the case of a customer that had his VPN account credentials stolen by RedLine. The system had an installed security package, but it did not detect the malware. Those same credentials were used to break into his company's network some three months later.

redline stealer table
A table of RedLine Stealer's capabilities. Click to enlarge. Image: AhnLab

This particular malware, like many others of its type, usually comes in the form of a trojan that disguises itself as a crack for popular software or a pirated version of an application. It specifically targets the password stores of Chromium-based and Gecko-based browsers, including Chrome, Edge, Brave, Firefox, Opera, and just about everything else. While this data is encrypted, which protects it against remote theft, as long as the malware is operating as the logged-in user, it can capture the decrypted authentication data.

Interestingly, even if you decline to save your password data, Chromium-based browsers will record the site in the "Login Data" database. The purpose of this is apparently to blacklist the site from having its login data stored, but while that will prevent RedLine Stealer from getting your password, it still tells the malware operator that you have an account on that site. From there, they could use social engineering (like phishing) or credential stuffing to attack the user's account.

It's probably not news to regular HotHardware readers, but the safest thing to do with your passwords is to stick them in a dedicated password manager like 1Password. That way your credentials get a second layer of security with your master password. You should also make sure you have two-factor authentication enabled everywhere you can.