Skip to main content

Nasty malware stealing Amazon, Facebook and Google passwords — protect yourself now

hacker
(Image credit: Gerd Altmann from Pixabay)

We at Tom’s Guide have tried to stress over the years that if you want software, you should just buy it. It's a lot cheaper than having all of your online credentials stolen. 

A new piece of malware called CopperStealer is lurking in “cracked” software downloads available on pirated-content sites, and the malware can compromise your login info for Amazon, Apple, Facebook and Google, among other services.

This information comes courtesy of Proofpoint, a security firm based in Sunnyvale, California. In a blog post yesterday (March 19), Proofpoint employees detailed their investigation of CopperStealer, including how it’s distributed and what it does. 

Notably, CopperStealer runs on the same basic principles as SilentFade, a pernicious piece of malware that ravaged Facebook accounts back in 2019.

First things first: If you don’t want CopperStealer to infect your computer, don’t download items from cracked software or keygen sites. That’s really all you have to do. 

CopperStealer appears to be targeting people exclusively through popular keygen or software-cracking download sites, so there’s no risk to users who buy their software through legitimate (or even gray-market) means.

If you’re one of the unfortunate thieves who got stuck with CopperStealer, there is still hope. CopperStealer is not particularly sophisticated malware and any of the best antivirus programs will make short work of it. 

You will have to change pretty much all of your online passwords, however, particularly if you tend to reuse passwords on multiple sites.

Tom's Guide also recommends activating two-factor authentication (2FA) for any online account that offers the option. While a very dedicated cybercriminal can work around this, 2FA at least gives you a second line of defense if someone steals your password. That should give you enough time to change it before things get really bad.

How CopperStealer works

Here’s how CopperStealer works. First, a cash-strapped user visits a prominent cracked-software or keygen site. Then he or she tries to download a piece of cracked software or a keygen program.

(“Keygen” is short for “key generation.” Most legitimate paid software requires a product key to run. If you can create a convincing fake key, it’s often as good as the real thing.)

Instead of (or in addition to) Windows 10 or Photoshop, however, they'll find themselves saddled with CopperStealer — not that they’d necessarily know it. 

The program runs in the background and combs through your web browsers for login information and user access tokens. CopperStealer can target Chrome, Edge, Yandex, Opera and Firefox, although Safari doesn’t appear to be a potential target.

Proofpoint did not provide an exhaustive list of login information that CopperStealer can discover. However, accounts for Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter are all at risk, as well as Facebook.

Since most of these services have payment options, it would not take a particularly enterprising criminal to steal credit-card information, or at least make a few unauthorized purchases. (All also have 2FA options to protect your account even if your password is stolen.)

CopperStealer has one additional nasty trick up its sleeve — a “downloader” function to install additional malware without the user’s knowledge. The usual choices would include keyloggers, ransomware, viruses and programs that can draft your PC into a cryptocurrency-mining botnet.

The good news is that Proofpoint has collaborated with Cloudflare, a company that provides network and security services to hundreds of major websites, to disrupt the flow of CopperStealer malware. 

But we wouldn’t get too comfortable on cracked software sites in the meantime. Security firms and cybercriminals are in a constant arms race, and the next ubiquitous malware distribution method is probably right around the corner.