www.bleepingcomputer.com
Open in
urlscan Pro
104.20.59.209
Public Scan
Submitted URL: https://ablink.mail.keepersecurity.com/ls/click?upn=JqU0QVV8oyIDp1-2BuD-2Br6xf8FTv94zM2Pe6-2FLt43osoa5NYHU4hfWiBncdC-2FxGqKGdfu3pZHRYqQ...
Effective URL: https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/
Submission: On January 30 via api from BE — Scanned from DE
Effective URL: https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/
Submission: On January 30 via api from BE — Scanned from DE
Form analysis 6 forms found in the DOM
https://www.bleepingcomputer.com/search/
<form title="Search site" action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>https://www.bleepingcomputer.com/search/
<form action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" name="EMAIL" aria-label="Enter email address" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" aria-label="Enter email address" name="EMAIL" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&do=process&return=https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/
<form action="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/"
method="post">
<div class="bc_form_feild">
<label for="ips_username">Username</label>
<input aria-label="Enter login name" title="Enter login name" type="text" id="ips_username" name="ips_username" autocomplete="username">
</div>
<div class="bc_form_feild">
<label for="ips_password">Password</label>
<input aria-label="Enter login password" title="Enter login passwod" type="password" id="ips_password" name="ips_password" autocomplete="current-password">
</div>
<div class="bc_form_feild">
<div class="bc_remember">
<input id="remember" type="checkbox" name="rememberMe" value="1" checked="checked">
<label for="remember">Remember Me</label>
</div>
<div class="bc_anon">
<input id="anonymous" type="checkbox" name="anonymous" value="1">
<label for="anonymous">Sign in anonymously</label>
</div>
</div>
<div class="bc_btn_wrap">
<input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
<input type="submit" aria-label="Login to site" title="Login" value="Login" class="bc_sub_btn">
<a aria-label="Sign in with Twitter" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&serviceClick=twitter&return=https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter button"> Sign in with Twitter</a>
<hr>
<p>Not a member yet? <a aria-label="Register account" title="Register account" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register">Register Now</a></p>
</div>
</form><form>
<input type="hidden" id="comment-id-report" value="0">
<ul>
<li>
<label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Other">Other</label>
</li>
<li id="comment-report-other-reason-wrap" style="display:none;">
<textarea aria-label="Enter other reason for reporting the comment" rows="2" cols="2" id="comment-report-other-reason"></textarea>
</li>
</ul>
<p>Read our <a href="https://www.bleepingcomputer.com/posting-guidelines/">posting guidelinese</a> to learn what content is prohibited.</p>
</form>Text Content
WE VALUE YOUR PRIVACY
We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised ads and content, ad and content measurement,
and audience insights, as well as to develop and improve products.
With your permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
partners’ processing as described above. Alternatively you may access more
detailed information and change your preferences before consenting or to refuse
consenting. Please note that some processing of your personal data may not
require your consent, but you have a right to object to such processing. Your
preferences will apply to this website only. You can change your preferences at
any time by returning to this site or visit our privacy policy.
MORE OPTIONSAGREE
*
*
*
*
*
*
* News
* Featured
* Latest
* NCSC alerts UK orgs to brace for destructive Russian cyberattacks
* Microsoft Outlook RCE zero-day exploits now selling for $400,000
* QNAP force-installs update after DeadBolt ransomware hits 3,600 devices
* Lazarus hackers use Windows Update to deploy malware
* Researchers use GPU fingerprinting to track users online
* FTC: Americans lost $770 million from social media fraud surge
* Master Microsoft Excel with this in-depth training bundle
* Windows vulnerability with new public exploits lets you become admin
* Downloads
* Latest
* Most Downloaded
* Qualys BrowserCheck
* STOPDecrypter
* AuroraDecrypter
* FilesLockerDecrypter
* AdwCleaner
* ComboFix
* RKill
* Junkware Removal Tool
* Virus Removal Guides
* Latest
* Most Viewed
* Ransomware
* How to remove the PBlock+ adware browser extension
* Remove the Toksearches.xyz Search Redirect
* Remove the Smashapps.net Search Redirect
* Remove the Smashappsearch.com Search Redirect
* Remove Security Tool and SecurityTool (Uninstall Guide)
* How to remove Antivirus 2009 (Uninstall Instructions)
* How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
* How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using
TDSSKiller
* Locky Ransomware Information, Help Guide, and FAQ
* CryptoLocker Ransomware Information Guide and FAQ
* CryptorBit and HowDecrypt Information Guide and FAQ
* CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
* Tutorials
* Latest
* Popular
* How to make the Start menu full screen in Windows 10
* How to install the Microsoft Visual C++ 2015 Runtime
* How to open an elevated PowerShell Admin prompt in Windows 10
* How to Translate a Web Page in Google Chrome
* How to start Windows in Safe Mode
* How to remove a Trojan, Virus, Worm, or other Malware
* How to show hidden files in Windows 7
* How to see hidden files in Windows
* Deals
* Categories
* eLearning
* IT Certification Courses
* Gear + Gadgets
* Security
* Forums
* More
* Startup Database
* Uninstall Database
* File Database
* Glossary
* Chat on Discord
* Send us a Tip!
* Welcome Guide
* Home
* News
* Security
* RedLine malware shows why passwords shouldn't be saved in browsers
* AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to
LinkedInLinkedInShare to RedditReddit839Share to Hacker NewsHacker NewsShare
to EmailEmail
*
REDLINE MALWARE SHOWS WHY PASSWORDS SHOULDN'T BE SAVED IN BROWSERS
By
BILL TOULAS
* December 28, 2021
* 01:07 PM
* 6
The RedLine information-stealing malware targets popular web browsers such as
Chrome, Edge, and Opera, demonstrating why storing your passwords in browsers is
a bad idea.
This malware is a commodity information-stealer that can be purchased for
roughly $200 on cyber-crime forums and be deployed without requiring much
knowledge or effort.
However, a new report by AhnLab ASEC warns that the convenience of using the
auto-login feature on web browsers is becoming a substantial security problem
affecting both organizations and individuals.
PLAY Top Articles Video Settings Full Screen About Connatix V147953 Read More
Read More Read More Read More Read More Read More Windows vulnerability with new
public exploitslets you become admin 1/1 Skip Ad Continue watching after the ad
Visit Advertiser website GO TO PAGE
In an example presented by the analysts, a remote employee lost VPN account
credentials to RedLine Stealer actors who used the information to hack the
company's network three months later.
Even though the infected computer had an anti-malware solution installed, it
failed to detect and remove RedLine Stealer.
The malware targets the 'Login Data' file found on all Chromium-based web
browsers and is an SQLite database where usernames and passwords are saved.
Credentials stored in a database file
Source: ASEC
While browser password stores are encrypted, such as those used by
Chromium-based browsers, information-stealing malware can programatically
decrypt the store as long as they are logged in as the same user. As
RedLine runs as the user who was infected, it will be able to extract the
passwords from their browser profile.
"Google Chrome encrypt the password with the help of CryptProtectData function,
built into Windows. Now while this can be a very secure function using a
triple-DES algorithm and creating user-specific keys to encrypt the data, it can
still be decrypted as long as you are logged into the same account as the user
who encrypted it," explains the author of the 'chrome_password_grabber' project.
"The CryptProtectData function has a twin, who does the opposite to it;
CryptUnprotectData, which... well you guessed it, decrypts the data. And
obviously this is going to be very useful in trying to decrypt the stored
passwords."
Even when users refuse to store their credentials on the browser, the password
management system will still add an entry to indicate that the particular
website is "blacklisted."
While the threat actor may not have the passwords for this "blacklisted"
account, it does tell them the account exists, allowing them to perform
credential stuffing or social engineering/phishing attacks.
Features of the RedLine Stealer
Source: ASEC
After collecting the stolen credentials, threat actors either use them in
further attacks or attempt to monetize them by selling them on dark web
marketplaces.
An example of how widely popular RedLine has become for hackers is the rise of
the '2easy' dark web marketplace, where half of all the sold data sold was
stolen using this malware.
Another recent case of RedLine distribution is a website contact form spamming
campaign that uses Excel XLL files that download and install the
password-stealing malware.
It's like RedLine is everywhere right now, and the main reason behind this is
its effectiveness in exploiting a widely-available security gap that modern web
browsers refuse to address.
WHAT TO DO INSTEAD
Using your web browser to store your login credentials is tempting and
convenient, but doing so is risky even without malware infections.
By doing so, a local or remote actor with access to your machine could steal all
your passwords in a matter of minutes.
Instead, it would be best to use a dedicated password manager that stores
everything in an encrypted vault and requests the master password to unlock it.
Moreover, you should configure specific rules for sensitive websites such as
e-banking portals or corporate asset webpages, requiring manual credential
input.
Finally, activate multi-factor authentication wherever this is available, as
this additional step can save you from account take-over incidents even if your
credentials have been compromised.
Updated 12/29/21: Added more technical details on how passwords can be stolen.
RELATED ARTICLES:
New RedLine malware version spread as fake Omicron stat counter
Have I Been Pwned adds 441K accounts stolen by RedLine malware
Malicious Excel XLL add-ins push RedLine password-stealing malware
Malicious PowerPoint files used to push remote access trojans
2easy now a significant dark web marketplace for stolen data
* Information Stealer
* Malware
* RedLine
* Web Browser
* Facebook
* Twitter
* LinkedIn
* Email
*
BILL TOULAS
Bill Toulas is a technology writer and infosec news reporter with over a decade
of experience working on various online publications. An open source advocate
and Linux enthusiast, is currently finding pleasure in following hacks, malware
campaigns, and data breach incidents, as well as by exploring the intricate ways
through which tech is swiftly transforming our lives.
* Previous Article
* Next Article
COMMENTS
* GISDUDE - 1 MONTH AGO
*
*
This brings me back to my original question: 1. Use a password manager (ie
LastPass)? 2. Use browser built in password manager, You can't keep up with
this.
* DUT - 1 MONTH AGO
*
*
and password managers are also targeted by malware with scary success rates,
what's new?
the worst is having external password manager software that is also
masquerading as 2FA
it's gonna take a lot of time to get your digital persona back if something
happens (db corruption / ransomware) and eventually you're gonna use the
browser anyway to recover from the cloud
built-in password manager in the browser has come a long way, at least that's
the case with firefox. I'm sure all of them also feature a master password,
cloud saving and etc.
external ones might actually be counter-productive, and their hook/plugin a
security issue to the browser in itself
* DOMINIQUE1 - 1 MONTH AGO
*
*
I always knew that this feature was trouble, and now I see how easy it is to
get to the info. Another thing I hate being saved, especially in the browser,
credit card number. :facepalm:
* ASCARIS5 - 4 WEEKS AGO
*
*
"and the main reason behind this is its effectiveness in exploiting a
widely-available security gap that modern web browsers refuse to address."
No... GOOGLE refuses to address it. People have been asking Google for a
master password feature forever, and Google's told them "No, you can't have
it, so stop asking."
Firefox has the ability to set a master password that can relock instantly or
after a user-defined period for years and years. If you use something Google,
well...
* MRSLEEP - 3 WEEKS AGO
*
*
""If you use something Google, well..."
And thanks to Chromium that's everything but Firefox now.
* DSPRG - 3 WEEKS AGO
*
*
I wonder if passwords stored in browsers running on Linux Operating Systems
are just as vulnerable.
Googling with that doubt I came here. I see that the author is a Linux
enthusiast. Regards.
POST A COMMENT COMMUNITY RULES
YOU NEED TO LOGIN IN ORDER TO POST A COMMENT
Not a member yet? Register Now
YOU MAY ALSO LIKE:
Popular Stories
* Microsoft: Windows needs at least 8 hours online to update reliably
* Windows vulnerability with new public exploits lets you become admin
NEWSLETTER SIGN UP
To receive periodic updates and news from BleepingComputer, please use the form
below.
Latest Downloads
* Windows Repair (All In One)
Version: 4.12.3
1M+ Downloads
* AdwCleaner
Version: 8.3.1.0
56M+ Downloads
* Malwarebytes for Mac
Version: 4.13
34,662 Downloads
* Malwarebytes Anti-Malware
Version: 4.4
4M+ Downloads
* Farbar Recovery Scan Tool
Version: NA
5M+ Downloads
NEWSLETTER SIGN UP
* Follow us:
*
*
*
*
MAIN SECTIONS
* News
* Downloads
* Virus Removal Guides
* Tutorials
* Startup Database
* Uninstall Database
* File Database
* Glossary
COMMUNITY
* Forums
* Forum Rules
* Chat
USEFUL RESOURCES
* Welcome Guide
* Sitemap
COMPANY
* About BleepingComputer
* Contact Us
* Send us a Tip!
* Advertising
* Write for BleepingComputer
* Social & Feeds
* Changelog
Terms of Use - Privacy Policy - Ethics Statement
Copyright @ 2003 - 2022 Bleeping Computer® LLC - All Rights Reserved
LOGIN
Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter
--------------------------------------------------------------------------------
Not a member yet? Register Now
REPORTER
HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT?
* Spam
* Abusive or Harmful
* Inappropriate content
* Strong language
* Other
*
Read our posting guidelinese to learn what content is prohibited.
Submitting...
SUBMIT