Possibly the largest single list of compromised email addresses in history, Onliner is bypassing spam filters and spreading malware. Its discoverer says we need to treat spambots as a real threat.
A massive spambot has been discovered, and it has 711 million email accounts available to it for sending malware-infused messages.
Called Onliner, the spambot is being used to spread the banking credentials-stealing Ursnif malware. French security researcher Benkow revealed the information to Troy Hunt, who runs Have I Been Pwned. Hunt says the Onliner release is the biggest he's ever seen—nearly doubling his previous record of 393 million records.
Hunt says that not all 711 addresses will be usable or legitimate, but it still points to a serious problem: Spammers are getting smarter. By using a massive list of email addresses, passwords, and SMTP server data, Onliner is able to bypass spam filters by sending what looks like emails from legitimate sources.
As Benkow said in his post about Onliner, It's time to pay more attention to spambots. They are often overlooked as a nuisance, but they never operate alone—they usually come along with malware, phishing, and other forms of cybercrime.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
Onliner: How it makes use of 711 million email addresses
Of the 711 million email addresses obtained from Onliner there are two classes: just email addresses and addresses with credentials. The former is simply the master list of accounts Onliner will send spam to, and the latter are the accounts it uses to send spam.
The list of accounts with credentials, and in some cases SMTP server information, is only a small chunk of the total. Onliner first tries logging into those accounts, discarding the ones that don't work. The successful ones are stored for later use in sending out "fingerprinting" emails.
SEE: This is when your business is most likely to get hit by malicious spam attacks (TechRepublic)
Fingerprinting messages look just like the ones you get all the time: solicitations from lonely Russian women, notifications that your Paypal account (or some misspelled variation) is compromised, problems with a package you're supposed to receive, or various other scams.
When you open one of those messages you are unknowingly downloading a one-pixel image along with the message. Downloading that image pings the image hosting server with your IP address, system information, and other data that Onliner uses to determine if you're a good target for Ursnif.
Once those fingerprinting messages have gone out Onliner has a whittled-down list of targets for spreading its malware payload—and you didn't even have to open a file to become a target.
Waking up to the threat of spambots
"If you're a malware researcher," Benkow said, "it's time to look deeper in the spambot business. It's a creative market which interacts with a lot of other cybercrime business."
Onliner, for example, is a massive delivery service for Ursnif. Ursnif, in turn, steals banking credentials and is able to download further malware on an infected computer. Spambots are also used for phishing attacks, social engineering, website scanning, and even stealing other sets of credentials to expand their effectiveness.
SEE: Easy Natural Language Processing (NLP) in Python (TechRepublic Academy)
Our email addresses are "a simple commodity that's shared and traded with reckless abandon," Hunt said, adding that it's often the unscrupulous doing so. Having an email address in the massive list Benkow released isn't a guarantee that your account has been compromised, but it is a sure sign that you are at the very least a target.
As spammers continue to find ways around filters it's increasingly a user task to filter out the garbage. Unfortunately, that includes not even viewing the message because that alone is enough to make you a target, making it harder to determine what's real.
You can search the entire list of compromised addresses on Have I Been Pwned. I recommend signing up for its automatic notification service that will email you if your account is added to the site as having been compromised.
If you show up on Have I Been Pwned the site won't tell you in what capacity, only in which hack your address was included. If you ever find yourself featured, change your password right away and be sure to avoid email from sources you don't recognize.
Top three takeaways for TechRepublic readers:
- A recently uncovered spambot, called Onliner, had a list of over 711 million email addresses, making it the single largest source of compromised accounts in the history of Have I Been Pwned, a site that tracks such statistics.
- Onliner is being used to distribute banking malware called Ursnif, which steals credentials and can install additional malware on affected machines.
- Benkow, the security researcher who uncovered Onliner, says it's time to take spambots more seriously, as they're the source of many phishing attacks, hacks, malware, and other cybercrimes.
- How AI became Instagram's weapon of choice in the war on cyberbullying (TechRepublic)
- 711 million email addresses ensnared in "largest" spambot (ZDNet)
- Report: Spam and cloud attacks rising, 4 steps to protect your business (TechRepublic)
- The daily grind in the life of a spammer (ZDNet)
- Information security incident reporting policy (Tech Pro Research)