Huge Spambot Ensnaring 711 Million Email Accounts Uncovered

hand laptop notebook typing

A huge spambot that has ensnared as many as 711 million email addresses has been uncovered by a Paris-based security researcher.

The researcher, who goes by the pseudonymous handle Benkow, has discovered that dozens of text files comprising email addresses, passwords, and email servers that are used to send spam have been stored in an open and accessible web server that’s hosted in the Netherlands. The spammer could very well use these credentials to carry out large-scale hacking and malware operations, bypassing spam filters since the emails would be sent through legitimate email servers.

In a detailed report on the spambot, ZDNet security editor Zack Whittaker says, “The spambot, dubbed “Onliner,” is used to deliver the Ursnif banking malware into inboxes all over the world. To date, it’s resulted in more than 100,000 unique infections across the world.”

“A mind-boggling amount of data.” that’s how Troy Hunt, Australian Microsoft Regional Director and creator of breach notification site Have I Been Pwned, describes this spambot. In a blog post  written about the spambot he says, “Last week I was contacted by someone alerting me to the presence of a spam list. A big one. That’s a bit of a relative term though because whilst I’ve loaded “big” spam lists into Have I been pwned (HIBP) before, the largest to date has been a mere 393m records and belonged to River City Media. The one I’m writing about today is 711m records which makes it the largest single set of data I’ve ever loaded into HIBP. Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe.”

Benkow has also studied exhaustively about the Ursnif banking malware, which is basically a data-stealing trojan that helps in hacking into banking systems to collect personal data like login details, passwords, credit card data etc.

The usual method of sending malware via an email and getting a user to click on the attachment and download it doesn’t always work. Email filters have become smarter and users have become more cautious these days. The Onliner spambot therefore uses a rather sophisticated method to bypass the spam filters and dupe even very cautious users. Benkow explains, in his blog titled “From Onliner Spambot to millions of email’s lists and credentials,” how this works. He explains that the hacking is done using a huge list of SMTP credentials which authenticate the spammer and help him send emails that appear to be legitimate. The SMTP credentials have been scraped and collated from other data breaches and from other unknown sources as well. Benkow has clarified that the list has about 80 million accounts, with each line comprising the email address, password plus the SMTP server and the port used to send the email. Each of these entries is tested by connecting to the server, to check if the credentials are valid and if spam emails can be sent.

The ZDNet blog explains how the emails sent using these credentials carry out the hacking. “These emails appear innocuous enough, but they contain a hidden pixel-sized image. When the email is open, the pixel image sends back the IP address and user-agent information, used to identify the type of computer, operating system, and other device information. That helps the attacker know who to target with the Ursnif malware, by specifically targeting Windows computers, rather than sending malicious files to iPhone or Android users, which aren’t affected by the malware.”

Troy Hunt opines that since the data was scraped off the web, some of it may be malformed. Says Hunt, “The point here is that there’s going to be a bunch of addresses here that simply aren’t very well-formed so whilst the “711 million” headline is technically accurate, the number of real humans in the data is going to be somewhat less.”

Also, Read

Best Anti-Spam Email Filters for Thunderbird

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register