Threat actors accessed millions of guests’ personal information from several well-known hotels and resorts after a hotel management platform experienced a data breach. How did it happen?

Threat actors used an “infostealer” to breach the hotel platform’s computer systems and access sensitive credentials from its cloud storage, subsequently compromising eight gigabytes of customer data from the world’s most prominent hotels.

This attack illustrates a growing trend of cyber criminals using stolen credentials to loot sensitive data en masse. In 2024, nearly a quarter of all incidents began with infostealers to capture private information.  

In this edition, we’re unpacking how infostealers work, what businesses can do to mitigate their risk, and Coalition’s approach to working hands-on with impacted policyholders.

What are infostealers, and how do they operate?

Information-stealing malware, commonly referred to as infostealers, is delivered through social engineering attacks to infect devices and collect sensitive information for threat actors to monetize. 

Hundreds of infostealer variants are currently being deployed in the wild to extract data from compromised business systems. Here’s how they typically work: 

1. Infostealer delivery

Threat actors often use phishing emails to prompt employees to click attachments, like invoices or documents, initiating a download of malicious files. 

Other popular methods of infection include malicious websites, malvertising, and infected software. During last year’s CrowdStrike outage, for example, threat actors leveraged the immediate fallout to distribute a fake recovery manual as a lever to distribute infostealer malware.

2. Harvest sensitive data  

Once downloaded, the malware starts logging activity from the employee to send back to the threat actors. In this instance, a keylogger tracks every keystroke the employee makes. Threat actors later sift through this data to extract passwords, credit card numbers, and other sensitive data. 

Alternative approaches to data collection include:

• Form grabbing: Intercepts data submitted on web forms before being encrypted by the browser, capturing credentials and credit card information from e-commerce pages or online banking accounts

• Screen capturing: Bypasses the limitations of text-based extractions by taking screenshots of an employee’s screen when triggered

• Clipboard hijacking: Monitors or replaces clipboard content to capture account numbers or passwords

• Browser session hijacking: Steals session cookies from a browser, which permits cyber criminals to impersonate an employee’s online session without needing to enter a username and password

“Infostealers often feed a role referred to in the cybercrime landscape as an initial access broker (IAB). An IAB gains access to company systems through a variety of mechanisms including infostealers, verifies that the access is functional, and then sells that access to other cyber criminals such as ransomware groups.” — Joe Toomey, Head of Security, Coalition

3. Exfiltration and distribution 

Through a threat actor-operated server, an attacker receives large swaths of data and places the database of information for sale on an underground forum. An employee’s credentials are now available on the dark web. 

“Infostealers often feed a role referred to in the cybercrime landscape as an Initial Access Broker (IAB),” said Joe Toomey, Coalition’s Head of Security.  “An IAB gains access to company systems through a variety of mechanisms including infostealers, verifies that the access is functional, and then sells that access to other cyber criminals such as ransomware groups.”

Creating a supply chain for cyber attacks

While infostealers are lucrative for threat actors looking to sell information on the dark web, they also serve as a foothold for ransomware actors moving laterally through an organization’s network once a device has been compromised with malware. 

Last summer, threat actors executed a large-scale campaign targeting Snowflake®, a cloud-based storage company. The twist? There was no sophisticated hack, and Snowflake was never breached. Yet, at least 165 Snowflake customers were impacted.

Using login credentials stolen via infostealer malware, threat actors exfiltrated data from large enterprises that did not have MFA enabled for their Snowflake accounts, which allowed threat actors to gain legitimate access to victims’ Snowflake instances. Once inside, threat actors attempted to extort victim organizations directly or advertised stolen customer data for sale on cyber criminal forums. 

Infostealers are an increasingly important piece of the cybercrime ecosystem. Nearly a third of companies that fell victim to ransomware last year had at least one infostealer infection in the months prior to the attack. And due to the rise of malware-as-a-service (MaaS), less tech-savvy hackers can still participate in the compromised data economy.

Marketplaces and encrypted channels rich with sensitive information lower the barrier of entry for cybercrime, streamline a ransomware operator’s job by delivering the details of potential victims on a silver platter, and encourage downstream attacks for maximum profit. 

How businesses can reduce their risk

Security awareness training (SAT)

To limit the opportunity for deployment of infostealer malware, businesses should train employees on red flags to watch for to avoid phishing attempts and malicious downloads. 

Education works: Security awareness training can reduce cyber risks by up to 60% in the first 12 months. 

Managed detection and response (MDR)

Endpoint detection solutions monitor corporate devices for signs of suspicious activity, including malware. However, small and midsize businesses (SMBs) may be overwhelmed by the high volume of alerts.

MDR provides 24/7 monitoring from security experts (without any additional headcount) so that infostealers can’t make it far without intervention. 

"Infostealers represent the perfect storm of today's threats by targeting both technology and human behavior. The days of siloed security tools are over. Our data tells us that the most resilient businesses integrate security awareness with active threat monitoring in one seamless defense.” — Alok Ojha, Head of Products, Security, Coalition

Multi-factor authentication (MFA)

None of the customers impacted by the Snowflake incident had proper MFA protections in place. Businesses should implement MFA across all vital technologies, such as email and cloud storage. 

By requiring additional authentication factors, attackers can’t get far with compromised credentials alone. For increased protection, businesses should consider turning to FIDO-2, which uses biometric factors or hardware keys to tie authentication with the user's device.

"Infostealers represent the perfect storm of today's threats by targeting both technology and human behavior. The days of siloed security tools are over,” said Alok Ojha, Head of Products, Security at Coalition. “Our data tells us that the most resilient businesses integrate security awareness with active threat monitoring in one seamless defense.” 

Helping policyholders navigate credential theft 

We regularly monitor data leaks in online forums and on the dark web to help policyholders spot issues early.

Threat actors advertise repositories of stolen data sourced from infostealers. We’re able to locate passwords and email addresses associated with a policyholder's domain on these databases and, through scanning technology, can detect which assets are compromised. If a policyholder’s credentials are discovered, we issue an alert through Coalition Control®.

“Being alerted about recently leaked or stolen credentials is a key differentiator for Coalition, as most companies are otherwise unaware that their credentials may be in the possession of threat actors or available for sale on the dark web,” said Toomey. 

This alert is only triggered for data detected by Coalition in data leaks from the past 30 days, which means stolen credentials are likely to still be valid and in use. 

“The convergence of insurance and proactive security creates a feedback loop where each incident informs stronger defenses, ultimately breaking the cycle of compromise that threat actors rely on,” said Ojha. 

Coalition Incident Response (CIR)* works hands-on with policyholders dealing with stolen credentials to remediate the issue, which may include acquiring breach response services, implementing MFA, and rotating credentials. Through Control, policyholders can also view technical details of the alert, including the compromised account, infected file path and IP addresses for devices that may be infected. 

To defend against evolving risks, like infostealers, businesses can track real-time alerts through Coalition Control and prevent cyber threats with the help of Coalition Security. 

This article originally appeared in the February 2025 edition of the Cyber Savvy Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

*Coalition Incident Response, Inc., is a wholly owned affiliate of Coalition.

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites.