711m email addresses found on gigantic malware spam list

30 Aug 2017

Image: DayOwl /Shutterstock

The recent discovery of the spamming operation appears to be the largest of its kind on record.

According to ZDNet, a security researcher in Paris who goes by the pseudonym, Benkow, discovered an open and accessible web server hosted in the Netherlands.

Within it lay dozens of text files containing passwords, email addresses and servers used to send spam campaigns.

The spambot is known as ‘Onliner’, and is used to push the banking malware ‘Ursnif’ into hundreds of thousands of unsuspecting inboxes. Benkow informed ZDNet he has good reason to believe that it has caused more than 100,000 unique infections aross the globe.

‘Mind-boggling’ quantities of data

Troy Hunt, who runs breach notification site Have I Been Pwned, described the quantity of data uncovered as simply “mind-boggling”, calling it the largest batch of data to enter the site since its foundation. Members of the public can visit the website to see if they have been affected by the gargantuan operation.

In a blog post written on 29 August, Benkow detailed exactly how the spambot operates.

Ursnif malware can skim credit card data, passwords and login credentials, and a spammer would typically send a file as an innocuous-looking attachment, infecting the machine once it is downloaded.

The Onliner campaign set up a pretty complex system to bypass even the most sophisticated of spam filters, added Benkow.

The attacker needs “a huge list of SMTP credentials”, authenticating the spammer and making any emails it sends appear legitimate. These credentials have been scraped from other large data breaches, and there are up to 80m accounts on the list.

Pixel-sized images had been hidden by the spambot in the emails it sent out, scraping information about the recipients’ computers.

Pressure on account providers

Richard Cox, former CIO of the Spamhaus Project, told the BBC that his primary concern was not, in fact, the list of mailable addresses, but the lists of compromised accounts.

“When compromised accounts are used for spam, they can only be stopped by their providers suspending the account. But, when that many are involved, it will severely overload the security/abuse departments of those providers, making it a slow process, and that is what keeps the spam flowing.”

While there were massive amounts of email addresses, the quantity of passwords for said addresses is a much greater issue.

Benkow recommended that affected users change their passwords, and exercise vigilance when it comes to opening emails.

Spam tins. Image: DayOwl /Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com