Picture this: One of your employees downloads what appears to be legitimate software onto their personal laptop at home. Within moments, malware silently harvests every saved password, browser cookie and credential stored on that device.
Weeks later, cyber criminals use those stolen credentials to walk straight through your corporate front door using legitimate usernames and passwords.
This isn't a hypothetical scenario. It is an actual case study from the latest Annual Cyber Threat Report 24/25 by the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC).
Understanding the attack: How it unfolds
These attacks follow a predictable pattern. Here is what typically happens:
Stage 1: The Infection
Employees encounter "info stealers" through seemingly innocent activities: downloading pirated software, clicking ads, falling for phishing emails or visiting compromised websites.
Stage 2: The Silent Harvest
Once installed, the malware works quietly in the background, collecting usernames, passwords, browser cookies, saved credit cards and even two-factor authentication backup codes. Everything gets sent to a command-and-control server.
Stage 3: The Marketplace
Your stolen credentials are sold on dark web forums or Telegram channels. Initial access brokers purchase and validate the most valuable credentials, especially those providing access to corporate networks or privileged accounts.
Stage 4: The Breach
Cyber criminals use legitimate credentials to access your network. No brute force attacks. No suspicious login attempts. They simply use valid usernames and passwords. This often delays detection for weeks or months.
Stage 5: The Escalation
Once inside, attackers move laterally through your systems, escalate privileges and steal data. Investigations typically reveal that extensive compromise occurred after they accessed privileged user accounts.
This sneaky but highly effective method is fast becoming cyber criminals' weapon of choice.
The BYOD blind spot
If your business allows Bring Your Own Device (BYOD) access – employees, contractors, or managed service providers connecting to your network from personal hardware – you need to understand this threat immediately.
ASD's ACSC investigations showed that extensive compromises usually occurred after cyber criminals successfully accessed privileged user accounts. One compromised personal device with saved corporate credentials can provide the keys to your entire kingdom.
What you can do starting today
The good news? You don't need a degree in cyber security to significantly reduce your risk.
Immediate actions:
- Implement Multi-Factor Authentication (MFA) everywhere, especially for remote access and privileged accounts. This single step can prevent credential-based breaches even when passwords are stolen.
- Review your BYOD policies. Consider whether personal devices should access corporate resources. If they must, ensure they meet minimum security standards.
- Educate your team. Your employees need to understand that their home computing habits can compromise your business. Regular, practical training matters.
- Monitor credential exposure. ASD's credential exposure notification process has already sent 9,587 credential exposure events to approximately 220 organisations. Are you enrolled in these programs?
The bottom line
Credential theft through “info stealers” represents a new era of cyber threats – one where your employees' personal devices can become the weakest link in your security chain. The threat is real, growing, and increasingly accessible to criminals with minimal technical skills.
But you're not powerless. By implementing the four actions outlined above, you'll significantly strengthen your defences against these attacks. The key is to act now, before your business becomes another case study in next year's threat report.
Your business's security is only as strong as your least protected access point. Make sure that access point isn't sitting on someone's home desk.