The Onliner spambot weaponized a whopping 711 million email accounts to distribute spam emails laden with malware.
A security researcher who goes by the name “Benkow” came across the credentials when he found an open directory on the web server for an Onliner command and control (C&C) asset.
Since at least 2016, the Onliner spambot has been targeting countries like Italy and businesses like hotels. Its purpose? To distribute spam laden with Ursnif, a malware family known for its data-stealing abilities.
The trojan is multifaceted in that it leverages two modules on a compromised machine post-infection. Ursnif’s first module enables the malware to send out spam. The malware’s second module is responsible for creating a huge list of SMTP credentials.
Benkow explains how Ursnif accumulates these credentials:
“To create the list, the attacker provides to the second module a list of emails and credentials like email@example.com:123456.
“Then, the module tries to send an email using this combinaison. [sic] If it works, credential are added to the SMTP list. Else, credentials are ignored.”
Where do these credentials come from?
In addition to machines already infected with Ursnif, Onliner accumulates them from public leaks such as the 2016 LinkedIn breach. It also relies on separate phishing campaigns and data-stealing attacks.
Benkow found a total of 80 million sets of email addresses, passwords, and SMTP configuration records in the directory. Onliner uses these details, in turn, to send out “fingerprinting” emails to 630 collected user addresses. These messages leverage a hidden 1×1 GIF to document a recipient’s IP and User-Agent before transmitting it back to the spammer.
With that information, the attacker can specifically target Windows computers and exclude mobile devices.
The security researcher told ZDNet that this degree of targeting is crucial to the attack campaign’s ongoing success:
“There is a risk that the campaign can become too noisy, like Dridex, for example. If your campaign is too noisy, law enforcement will look for you.”
Web security expert Troy Hunt has had a chance to look over the information exposed by Benkow and add it to his Have I Been Pwned? service. His analysis of the “mind-boggling amount of data,” which he calls “the largest single set of data I’ve ever loaded into HIBP,” reveals millions of working email addresses and passwords. But not quite 711 million.
As he explains on his site:
“The data in the dump has a bunch of junk prefixed to the address, junk which appears to be an HTML file name and may indicate the “address” was scraped off the web and the parsing simply wasn’t done very well. The point here is that there’s going to be a bunch of addresses here that simply aren’t very well-formed so whilst the ‘711 million’ headline is technically accurate, the number of real humans in the data is going to be somewhat less.”
At this time, it would a good idea for users to look up their email addresses using HIBP. If they discover their email accounts in the service’s records, they should change their passwords not only for that email address but also for all web accounts that might use the same password. Specifically, they should protect each of their accounts with a unique combination and enable two-step verification (2SV), if the feature is available.
Oh, and as always, users should resist the temptation to click on suspicious links and email attachments.
For further discussion on this story, make sure to listen to this episode of the “Smashing Security” podcast: