Research notes
Research notes
FETCH NOTES — 573658a0-03d6-40b8-a48a-bd490d94928f
Source 1: BleepingComputer — "Why Account Takeovers Are Rising and How to Stop Them"
URL: https://www.bleepingcomputer.com/news/security/why-account-takeovers-are-rising-and-how-to-stop-them/ Verified: YES (in provided source list) Published: June 17, 2026 Sponsor: Specops Software (sponsored content)
Key facts extracted:
- Organizations now manage thousands of human and non-human identities across cloud services, SaaS applications, endpoints, and remote environments.
- Hybrid working, BYOD, and third-party access continue to expand the attack surface; security teams are losing visibility over who has access to what.
- Credential abuse accounts for 22% of breaches in 2025.
- Verizon's Data Breach Investigation Report found stolen credentials involved in 44.7% of breaches.
- MFA fatigue (prompt bombing): attackers repeatedly trigger MFA approval requests until users accept one out of frustration. 2022 Uber attack — repeated MFA prompts on an employee led to privilege escalation and compromise of large parts of Uber's cloud infrastructure.
- Attackers use adversary-in-the-middle frameworks and session hijacking tools to bypass MFA by stealing authenticated session tokens after login.
- Phishing campaigns now use legitimate hosting services, trusted domains, reverse proxies, and AI-generated content. Outpost24 uncovered a campaign using a legitimate Cisco domain through multi-chain redirects.
- Infostealer malware harvesting credentials, browser-stored passwords, and authenticated session cookies directly from user devices.
- Employees access corporate apps from personal laptops, unmanaged mobile devices — IT has limited visibility into device security posture.
- High-profile incidents at Clorox and Marks & Spencer reinforced that identity alone is no longer sufficient trust indicator.
- Security controls still treat successful authentication as sole proof of trust — they verify credentials but not whether the person/device can be trusted.
- Shift toward continuous verification models where trust is assessed throughout the session, not just at login.
Source 2: BreachSense — "Infostealer Malware: How It Works & How to Detect It"
URL: https://www.breachsense.com/blog/infostealer-malware/ Verified: YES (web_extracted) Author: Josh Amishav, Last updated Jan 14, 2026
Key facts extracted:
- Infostealer attacks increased 84% in 2024 per the IBM X-Force Threat Intelligence Index 2025.
- Infostealers silently harvest credentials, session tokens, and sensitive data from infected devices; exfiltrate within minutes.
- Session token theft bypasses MFA entirely — attackers import cookies into their own browsers to hijack active sessions.
- Per Identity Threat Report 2025: 39% of data breaches involve stolen session cookies or tokens.
- Per Identity Threat Report 2025: 66% of malware infections occur on devices with endpoint security/AV installed — signature-based detection struggles.
- LummaC2 dominated with 23.3 million detections globally (Identity Threat Report 2025). IBM X-Force documented over 3.7 million Lumma credentials and 568,000 RedLine credentials advertised on dark web markets in 2024.
- Per Mandiant M-Trends 2025: stolen credentials tied for second place as ransomware initial access vectors at 21%.
- Remote workers especially at risk — personal devices often lack corporate endpoint protection.
- Stolen credentials circulate on criminal marketplaces for days or weeks before exploitation — detection window exists.
- Only 54% of organizations routinely reset passwords after malware infections; only 33% terminate active sessions after credential theft detection.
- Other notable infostealers: RedLine Stealer, Vidar Stealer (malware-as-a-service), Raccoon Stealer.
- Infection vectors: phishing (primary), malicious downloads, malvertising, messaging platforms (Discord/Telegram).
- Infostealers target: browser password databases, credentials in transit (hooking into browser processes), session tokens/cookies, VPN/email/FTP app credentials, cryptocurrency wallets.
PLANNED ARTICLE SECTIONS + VERIFIED FACTS
Section 1: The Identity Explosion — Scale and Complexity
- Organizations manage thousands of human + non-human identities across cloud, SaaS, endpoints, remote environments
- Hybrid work, BYOD, third-party access expanding the attack surface
- Security teams losing visibility over who has access to what and whether that access can be trusted Sources: BleepingComputer (opening premise)
Section 2: Why Credential Abuse Is the Attack of Choice
- Credential abuse = 22% of breaches in 2025 (BleepingComputer)
- Verizon DBIR: stolen credentials in 44.7% of breaches (BleepingComputer)
- Infostealer attacks surged 84% in 2024 (BreachSense / IBM X-Force Threat Intelligence Index 2025)
- Attackers find credentials easier to steal than breaking through firewalls (BreachSense)
- Stolen credentials tied for second place as ransomware initial access vectors at 21% (Mandiant M-Trends 2025) Sources: BleepingComputer, BreachSense
Section 3: How Attackers Compromise Accounts — The Tactics
- MFA fatigue/prompt bombing: Uber 2022 case study — repeated MFA prompts led to privilege escalation and cloud infrastructure compromise (BleepingComputer)
- Session hijacking: stealing authenticated tokens to bypass MFA entirely; attackers import cookies into their own browsers (BleepingComputer, BreachSense)
- Sophisticated phishing: legitimate domains, AI-generated content, reverse proxies — Outpost24/Cisco domain campaign (BleepingComputer)
- Infostealer malware: harvesting credentials, passwords, session cookies from endpoints within minutes of infection (BreachSense)
- Infection delivery: phishing attachments/links, malicious downloads, malvertising, messaging platforms (BreachSense) Sources: BleepingComputer, BreachSense
Section 4: The Infostealer Ecosystem — What's Being Stolen and How Much
- LummaC2: 23.3 million detections globally (Identity Threat Report 2025)
- IBM X-Force: 3.7 million Lumma credentials and 568,000 RedLine credentials on dark web markets in 2024
- Other major players: RedLine Stealer, Vidar Stealer (malware-as-a-service), Raccoon Stealer
- Targets: browser password databases, credentials in transit, session tokens/cookies, VPN/email/FTP app credentials, crypto wallets
- Exfiltration within minutes; data appears on dark web marketplaces for days/weeks before exploitation Sources: BreachSense (Identity Threat Report 2025, IBM X-Force)
Section 5: The Endpoint Problem — Why Protection Falls Short
- Employees using personal laptops, unmanaged devices — IT lacks visibility (BleepingComputer)
- 66% of malware infections on devices with AV installed — endpoint protection insufficient (BreachSense / Identity Threat Report 2025)
- Signature-based detection struggles; by the time signatures exist, thousands already infected (BreachSense)
- Remote workers especially at risk — personal devices often lack corporate endpoint protection Sources: BleepingComputer, BreachSense
Section 6: Why Identity Attacks Are So Hard to Stop
- Security controls treat successful auth as sole proof of trust (BleepingComputer)
- 39% of breaches involve stolen session cookies/tokens — password resets alone insufficient (BreachSense / Identity Threat Report 2025)
- Only 33% of orgs terminate sessions after credential theft detection (BreachSense)
- Only 54% routinely reset passwords after malware infections (BreachSense)
- High-profile cases: Clorox, Marks & Spencer — identity alone is no longer sufficient trust indicator (BleepingComputer) Sources: BleepingComputer, BreachSense
Section 7: The Path Forward — Continuous Verification and Detection
- Shift from login-time auth to continuous verification throughout the session (BleepingComputer)
- Device trust, behavioral signals, posture checks as part of identity security (BleepingComputer)
- Credential monitoring on dark web markets for early detection during the theft-to-exploitation window (BreachSense)
- Session termination as part of incident response (BreachSense)
- Browser security policies, application allowlisting, network segmentation as technical controls (BreachSense) Sources: BleepingComputer, BreachSense
TITLE NOTES
Draft title "When Login Isn't Enough: How Infostealers and Session Hijacking Are Breaking Identity Security" is an original rewrite. Does not match or lightly reword any source headline:
- NOT derived from "Why Account Takeovers Are Rising and How to Stop Them" (BleepingComputer)
- NOT derived from "Infostealer Malware: How It Works & How to Detect It" (BreachSense)
- Captures the core theme: identity security is broken because login-time verification is insufficient against modern credential theft techniques.
DESCRIPTION NOTES
Covers the scope: identity management complexity, credential abuse stats (22% of breaches), infostealer surge (84%), session-token theft bypassing MFA, and continuous verification. No source headline language copied.