711 million email addresses exposed in ‘Onliner’ spambot scheme

MANILA, Philippines – A clever new spambot with access to 711 million stolen email addresses including passwords and server information has been discovered, a ZDNet report said.

Spambots are computer programs that deliver spam email to any number of targets, and have been around for a long time. But this spambot, called Onliner, is especially clever for being able to bypass standard email filters for spam. Typically, modern email systems are able to detect spam, which the email system then automatically sends to one’s spam folders.

Onliner is able to circumvent these filters by sending the spam through legitimate email servers. It is able to do so because the spambot not only has email addresses and passwords, it also has stolen email server credentials. The spambot makes use of these server credentials to make it appear that the emails are coming from a legitimate source, and straight into a target’s inbox – effectively sneaking past spam security. (READ: 500 million accounts stolen, Yahoo confirms)

Troy Hunt from Have I Been Pwned, a website that tracks data breaches and puts information on these in a database, also said Onliner’s 711 million stolen emails is the largest batch the site has ever encountered and processed. A January 2017 breach from US company River City Media follows with 393 million emails stolen. 

Spam process

Of the 711 million email addresses, an estimated 80 million have corresponding server credentials, which are used to send the spam to the remaining email addresses. 

The initial emails sent to the stolen addresses are called “fingerprinting emails.” The emails are said to look “innocuous” but when opened are able to identify the target’s IP address, computer system, and operating system. The attacker uses the information to find Windows computers, and excludes iOS and Android users.

Windows computers are specifically targeted because other OSes like iOS and Android aren’t affected by the malware it sends. Once the Windows systems have been detected, Onliner then sends another batch of emails, said to be disguised as receipts or invoices from delivery services, hotels, or insurance companies – but could very well take other forms over time. 

The second batch of emails would be directly more harmful as it contains the malware Ursnif, a data-stealing trojan virus. According to cybersecurity firm Palo Alto Networks, this virus is able to “steal browsing data such as banking and credit card information, acquire passwords via screenshots and keylogging, execute arbitrary second payloads, infect additional files to further victimize other machines, and communicate peer-to-peer between different Ursnif instances in the same network.”

Benkow – the pseudonymed security researcher who first found the Netherlands-based server containing Onliner’s massive list of stolen email credentials – said Ursnif has infected around 100,000 systems around the world via the Onliner scheme. 

The number of computers the scheme could infect is potentially huge, and carries a potent virus in Ursnif. Until spam filters adapt to its spam-evading methods, the best thing to do would be to avoid clicking carelessly on strange emails you aren’t expecting. – Rappler.com