Join our mailing list to receive the latest news and updates from our team.

<p>Thanks for signing up! :)</p>

read more.mapouter{overflow:hidden;height:500px;width:600px;}.gmap_canvas {background:none!important;height:500px;width:600px;}
Home / Security / 711 Million Email Addresses Compromised by Onliner Spambot

711 Million Email Addresses Compromised by Onliner Spambot

Posted on

Another day, another security breach. Yet, the Onliner Spambot dump is slightly different to others: it contains over 700 million email addresses and passwords. As such, it is the largest leak to date.

An unknown hacker has gathered up to 711 million email accounts stored on an “open and accessible” server in the Netherlands, ZDNet reports. The server contains passwords to both email addresses and servers which are apparently being used to send large amounts of spam through legitimate accounts, thereby bypassing filters.

Onliner Spambot Password Dump

The Onliner Spambot dump is a significant haul in a year that has already seen several massive data breaches. These breaches, including River City Media, Verizon, Lynda, Deep Root Analytics, Edmodo, and Atlassian HipChat, are minute compared to the combined weight of the Onliner Spambot leak.

Onliner Spambot was uncovered by Benkow mo?u?q, a security researcher based in France. The spambot has collected over 700 million individual email addresses, passwords, and email servers, all used to send spam. The spambot is primarily used to deliver the Ursnif banking trojan to unsuspecting users. Benkow estimates over 100,000 unique systems have been infected around the world.

The Ursnif trojan steals data, such as login credentials, banking and credit card data, passwords, and more. However, what sets Onliner apart from other spambots is the sophisticated delivery method.

The “standard” method of delivery — a spam email containing a dropper file — is relatively easy to combat. Spam filters are getting smarter, and domains found to send spam are easily blacklisted.

Instead, Onliner scraped email server credentials from existing data breaches, collating an enormous, 80 million-strong list of valid accounts to send spam from. Therefore, the spam appears to originate from a legitimate email account, avoiding any spam filters.

“To send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it. And it’s the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign”

Next, instead of bombarding potential victims, the spambot sends a single email containing a single-pixel fingerprinting image. When the email is open, the pixel image sends back important user information, such as IP address, user-agent details, and more. This helps the attackers know which computers to target — specifically seeking Windows systems — instead of a more general spray-gun approach.

What Was Sent?

The emails sent appeared to include an almost invisible 1×1 pixel GIF.

If a user opens the email, Benkow wrote, “a request with your IP and your User-Agent will be sent to the server that hosts the GIF. With these information, the spammer is able to know when you have opened the email, from where and on which device.”

That information is necessary to create a slimmed-down list of potential secondary targets — the people who would be hit with second emails containing malware. Yet another reminder not to open spam.

“The sheer size of the breach is alone a cause for concern, let alone the damage it could cause further down the line,” said Brian Laing, vice president at Lastline, a provider of malware protection.

“This breach is an example of how hackers merge data from multiple sources, building dossiers on potential victims, including spear phishing targets,” he told Mirror Tech in an emailed statement.

“In this instance, the majority of the passwords appear to have been collated from previous leaks, including the 2012 LinkedIn data breach. Every breach reveals data that criminals can use to launch additional attacks, either by the initial attackers or other criminals to whom they sell the compromised data.”

Spambot Safety

According to Troy Hunt, creator of Have I Been Pwned?, only 27% of the email address already existed in the HIBP database. That means some 519 million individual email address and password combinations are now compromised. In a blog post, Hunt also pointed out that 711 million is basically the entire population of Europe — a serious amount of compromised addresses.

So, what can you do?

First, head to Have I Been Pwned? and enter your email address(es) into the search bar. It takes a few seconds, and you’ll immediately discover if your address and password have been compromised. And that’s not only for the Onliner spambot. If your address leaked during any other data breach (contained in the database), you will find out.

If compromised, you need to begin the reset process for any services using that email address. It is important to remember as many accounts as possible, but I understand that is difficult. Start by changing any linked to sensitive information: accounts holding financial data, debit and credit cards, and so on.

Next, start using two-factor verification on all of your accounts, and seriously consider using a password manager to keep track of and to secure your passwords.

Once your address and password is out there, it won’t disappear. But you can mitigate the potential effects.

Have you been pwned? Did you realize that more than one account is compromised? What is your favorite password manager? Let us know your thoughts on data breaches below!

Make Use Of

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: