The change marks a significant turn in online fraud tactics. Classic phishing pages still imitate banks, cloud services, delivery firms and workplace platforms, but attackers are increasingly using emails, search ads, fake software installers, messaging apps and compromised websites to deliver infostealer malware. Once installed, these tools can collect far more than a single password typed into a fraudulent page.
Security teams say the appeal is clear. A fake login page depends on a victim entering credentials and may be blocked by multi-factor authentication, takedowns or browser warnings. Infostealers work differently. They target the device itself, harvesting stored browser credentials, authentication cookies, autofill data, screenshots, files, system details and tokens that can sometimes allow criminals to bypass login prompts altogether.
The tactic has become central to identity-led cybercrime. Stolen credentials remain one of the most common entry points for network breaches, while infostealer logs are widely traded in underground markets by brokers who package access for ransomware groups, fraud crews and business email compromise operators. Data taken from one personal or work device can be used to reach cloud dashboards, corporate mailboxes, code repositories, finance portals and customer databases.
Several malware families have become prominent in this market, including RedLine, Raccoon, Vidar, Lumma, Stealc and Atomic macOS Stealer. Their operators often sell access through malware-as-a-service models, lowering the technical barrier for less skilled criminals. Buyers can subscribe to panels, receive stolen logs automatically and filter victims by geography, organisation, browser, wallet type or corporate domain.
Campaigns have also expanded beyond Windows. macOS users are being targeted through fake productivity tools, poisoned search results, malicious advertising and social engineering prompts that trick users into running commands or approving system access. Atomic macOS Stealer has become one of the best-known examples, with attackers using branded installers and convincing prompts to capture passwords, keychain data and cryptocurrency wallet information.
Phishing emails remain an important delivery route, but the message content has changed. Instead of directing every target to a spoofed sign-in page, attackers increasingly push users towards downloading a file, opening a shared document, installing a browser update, joining a fake meeting, resolving a supposed security issue or completing a software verification step. The aim is to create enough trust and urgency for the victim to execute the malware.
Artificial intelligence is adding scale to the shift. Attackers are using automated tools to draft more convincing messages, localise lures, rotate domains and test wording against email defences. Security filters that once relied heavily on spotting poor grammar, suspicious templates or known phishing kits face a harder challenge when messages are cleaner, more personalised and linked to fast-changing malware infrastructure.
For businesses, the risk is no longer confined to an employee losing a password. Infostealer infections can expose personal and corporate identities at the same time, particularly on devices used for hybrid work. A single compromised browser profile may contain access to email, internal applications, cloud storage, password managers, collaboration tools and financial services. Session cookies and refresh tokens are especially valuable because they can preserve access even after passwords are changed.
The underground market has adapted around that value. Criminal forums and automated shops list logs from infected machines, often priced cheaply enough to encourage bulk buying. Initial access brokers then use the data to identify corporate accounts that can be exploited for fraud, espionage, extortion or ransomware deployment. This creates a supply chain in which a low-level infection can later become a major enterprise incident.
Defence strategies are also changing. Traditional anti-phishing training remains useful, but it cannot address the full threat if employees are being pushed into malware execution rather than simple credential submission. Organisations are placing greater emphasis on endpoint detection, browser security, application control, token revocation, device posture checks and continuous monitoring for stolen credentials appearing in criminal markets.
Multi-factor authentication remains important, but security specialists warn that it must be combined with phishing-resistant methods and stronger session controls. Hardware security keys, passkeys, conditional access policies, rapid token invalidation and alerts for impossible travel or unfamiliar devices can limit the usefulness of stolen credentials. Password resets alone may not be enough if cookies and tokens remain valid.
Consumers face similar exposure. Saving passwords in browsers, reusing credentials across sites and installing software from ads or unofficial portals increase the damage an infostealer can cause. Security hygiene now depends on verified downloads, updated operating systems, reputable endpoint protection, unique passwords, passkeys where available and caution over prompts that ask users to disable protections or run commands.
Law-enforcement action against malware markets has disrupted parts of the ecosystem, but the model has proved resilient. When one marketplace or malware operation is taken down, new vendors and rebranded tools often appear. The broader shift towards identity theft, session hijacking and access resale suggests phishing will remain a major threat, but its most damaging form is increasingly less visible than a fake login screen.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
