The shockingly low cost of password hacking exposed.
A new hacking tool is proving popular with password hackers for very good reason: it provides everything they need to go on a browser-based credentials hunt for what is, all things considered, a bargain basement price. It’s not only your passwords they can steal, but a whole bunch of other stuff as well: cryptocurrency keys, private messaging tokens and browser session data, for example.
Password Hackers Can Use The Katz Infostealer Service For As Little As $30 Per Month
Microsoft has given users of its Authenticator app until August 1 to save their passwords as it looks to switch users to its Edge browser. The same tech giant, which, along with others such as Google, is also trying to get users to switch to passkey technology en masse. This is hardly surprising given that passwords are so insecure, and attackers look to exploit them at every turn. While I can support the change to passkeys, I’m not so sure about moving passwords from dedicated password management apps to web browsers. If you want to know why, look no further than the newly published analysis of the Katz infostealer malware-as-a-service threat.
Jim Walter knows more than a thing or two about the revolving trend and tactics employed by cybercriminals. As a senior threat researcher with SentinelOne, specializing in uncovering and analyzing emerging cybercrime services, Walter has just published an in-depth look at the Katz password hacking threat.
Launched earlier this year, Katz Stealer is described by Walker as a feature-rich infostealer that has quickly gained attention within password hacking circles. Marketed through all the usual cybercrime forums, and on the surface through groups on networks such as Discord and Telegram, Katz is packed to the gills with credential and data theft capabilities, alongside an impressive suite of detection-evading features. “The turnkey nature of the Katz Stealer service, along with accessible pricing,” Walter said, “has led to rapid adoption by threat actors across the spectrum of capability.”
Low Cost Of Entry For Password Hackers
Ah, yes, the pricing. Remember, this is password theft as a service, so hackers have to pay for the privilege of using Katz, but the payouts are obviously well worth the relatively small investment. With prices starting at $50 per month, this drops to as low as $30 for a 12-month commitment.
The low cost of Katz Stealer rental revealed.
For this, threat actors get access to a web-based management panel, which also operates as the back-end for the infostealer, so that exfiltrated data can be processed and searched.
Katz Stealer management panel.
“The infostealer can harvest data from all commonly used web browsers,” Walter said, including Chrome, Edge, Brave, Firefox and various Chromium/Gecko-offshoots. “Saved passwords, login session cookies, saved session tokens, autofill data (including stored credit card CVV data) are all targeted.”
Walter also warned that despite Google introducing application-bound encryption to Chromium in 2024, which effectively “ties the decryption of stored passwords and cookies to the logged-in OS user,” the Katz Stealer can bypass this by “programmatically masquerading as the browser once injected.”
I have approached Brave, Google, Microsoft and Mozilla for a statement. In the meantime, I would recommend taking note Walter concluded that “Katz Stealer still relies on social engineering and user interaction to enable a successful compromise.” You know what to do then; be careful out there, don’t fall for those social engineering tricks and don’t click on things when you cannot be 100% sure where they lead. The password hackers are relying upon you not to follow this advice.