Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks
Cybersecurity NewsArchived Jun 04, 2026✓ Full text saved
Phishing attacks have always been one of the most common ways cybercriminals steal personal and business data. But something has quietly changed about how these attacks work. Instead of tricking people into typing passwords on fake websites, attackers are now dropping malware directly onto victims’ devices to do the stealing for them. This shift has […] The post Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks
By Tushar Subhra Dutta
June 4, 2026
Phishing attacks have always been one of the most common ways cybercriminals steal personal and business data. But something has quietly changed about how these attacks work.
Instead of tricking people into typing passwords on fake websites, attackers are now dropping malware directly onto victims’ devices to do the stealing for them.
This shift has been building gradually, and it signals a more dangerous phase in the evolution of online scams. Traditional phishing still exists and remains a serious threat.
However, a growing number of attackers now prefer to deploy infostealers, a category of malware designed to silently collect passwords, browser cookies, session tokens, saved autofill data, cryptocurrency wallet details, and even files stored on the device.
Analysts at Malwarebytes, in a report shared with Cyber Security News (CSN), noted that this approach is appealing because it scales well and reduces friction for the attacker.
Rather than waiting for a victim to visit a fake login page and enter credentials, the malware simply harvests whatever is already saved on the infected machine.
This also makes the attack much harder to spot. A classic phishing attempt often leaves visible red flags, a strange link, a suspicious sender address, or an oddly formatted login page.
Infostealers, by contrast, work quietly in the background after installation, giving victims little reason to suspect anything is wrong.
One significant driver behind this change is the widespread adoption of multi-factor authentication, or MFA. Because MFA adds an extra layer of login verification, stolen passwords alone are no longer enough for many account takeovers.
By stealing session cookies instead, attackers can bypass MFA entirely and access accounts without needing a password or a one-time code.
Cybercriminals Shift From Fake Login Pages
Another major factor is the explosion of the malware-as-a-service ecosystem, commonly known as MaaS. This underground market allows criminals to buy ready-made infostealer kits, loaders, and initial access tools without needing to build anything themselves.
It has dramatically lowered the bar for entry, letting even low-skilled attackers run large-scale credential theft campaigns. These services are not just cheap, they are also designed for speed and flexibility.
Operators can push out updates, rotate their infrastructure, and launch fresh campaigns quickly, while a network of affiliates handles distribution through phishing emails, fake downloads, malvertising, and social media traps.
The division of labor makes these operations highly efficient and difficult to shut down. Infostealers rarely mark the end of an attack, and in most cases, they are just the opening move.
The stolen data, including saved passwords, session cookies, and corporate access credentials, is packaged and sold to other criminals who specialize in account takeover, fraud, business email compromise, or ransomware deployment. A single infected device can generate income across multiple buyer types at once.
How Infostealers Reach Victims and How to Stay Safe
Infostealers reach victims through a wide range of delivery methods. Malicious ads, fake browser update prompts, pirated software, game cheats, cracked tools, and shady browser extensions are among the most common entry points.
These channels are effective because they reach people who are not necessarily expecting an attack and who may already be used to clicking through prompts without much thought.
A tactic called ClickFix has also gained traction recently. It works by tricking users into running commands or scripts on their own devices, often by presenting a fake error message or warning that instructs them to paste something into a command prompt.
Malwarebytes researchers warn that users should never execute any command copied from a website, email, or message unless they fully understand what it does and trust the source completely.
Staying safe requires building simple, consistent habits. Users should avoid clicking on sponsored ads and navigate directly to official websites when downloading software.
Pirated tools and cracked software carry a high risk of bundled malware and should be avoided entirely.
Slowing down before clicking any link or opening any attachment in an email can make a real difference, especially when the message creates a sense of urgency around billing, account issues, or security alerts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
AI-Generated npm Malware Accidentally Exposes Threat Actor’s Private GitHub Token
Bots Surpass Humans in Global Web Traffic for the First Time in Internet History
Hackers Use Meta’s AI Bot to Reset Passwords and Hijack Instagram Accounts
Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2
Critical Samba Vulnerability Enables Remote Code Execution Attacks
Latest News
ChatGPT
Weaponized ChatGPT Download Site Delivers Malware Via Sponsored Search Results
Cyber Security News
Kali365 PhaaS Operation Expands Beyond Microsoft 365 to Target Okta and MAX Messenger
Cyber Security News
Payouts King Ransomware Evades EDR With Obfuscation and Direct System Calls
Cyber Security News
Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code
Cyber Security News
Teams and Google Drive Leveraged to Compromise Systems Within 20 Minutes