A spambot called Onliner has apparently assembled a massive amount of data that includes 711 million email addresses and, in at least some cases, passwords as well.
First spotted last week by a malware researcher who blogs under the name "benkow_," the trove of data was found stored in a directory of files on a spambot server hosted in the Netherlands. Many of the email addresses and related passwords appear to have been scraped from data dumps linked to past major breaches of sites such as LinkedIn.
Security experts warned that the large number of SMTP email server credentials uncovered by Onliner makes it easier for spammers to send infected messages that can bypass standard email filters. The experts recommended that anyone whose email address appears in the spambot directory should change passwords, ensure other accounts do not use the same passwords, and enable two-factor authentication for greater security.
'Mind-Boggling Amount of Data'
According to a blog post published on Tuesday by benkow_, the Onliner spambot has been used "since at least 2016" to distribute a banking trojan known as Ursnif. After checking that breached email user data includes valid SMTP credentials, the spambot randomly mails some of those accounts with a message containing a hidden image. When that message is opened by recipients, some of their user information is leaked back to the spammers so their accounts can be categorized for future, more targeted spam campaigns.
The spambot can then use those "fingerprinted" email servers to blast out even larger numbers of emails to identify the best targets for an Ursnif attack, which is launched by messages containing malicious file attachments that are often disguised as invoices.
"In a successful cybercrime campaign there are different parts, the final payload is important but the spam process is very critical too," benkow_ said. "Some malware campaigns like Locky are successful also because the spamming process works well. This case is a good example."
Yesterday, security developer Troy Hunt, who runs the breach-related Web site, Have I been pwned? (HIBP), wrote on his blog that he had spoken with benkow_ about the Onliner spambot directory found on the Dutch server and examined the data more closely to determine where it came from. He added that even his email address appeared twice in that data.
"[I]t goes on and on," Hunt said. "Email addresses, passwords and SMTP servers and ports spread across tens of gigabytes of files. It took HIBP 110 data breaches over a period of 2 and a half years to accumulate 711m addresses and here we go, in one fell swoop, with that many concentrated in a single location. It's a mind-boggling amount of data."
Reusing Passwords 'Never a Worse Idea'
Since reviewing the Onliner data, Hunt said he has made all 711 million records found on that spambot directory searchable via his HIBP site. He recommended that people search for their email addresses using the site; if they find their information there, they should immediately change their email passwords, being sure to create a strong, unique phrase for security.
"[F]inding yourself in this data set unfortunately doesn't give you much insight into where your email address was obtained from nor what you can actually do about it," Hunt noted. "I have no idea how this service got mine, but even for me with all the data I see doing what I do, there was still a moment where I went 'ah, this helps explain all the spam I get.' And that's the unfortunate reality for all of us: our email addresses are a simple commodity that's shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth. That, unfortunately, is life on the web today."
U.K.-based security researcher Graham Cluley wrote on his site yesterday that people who find their email address appearing in the Onliner database should also be sure to change their passwords for any other Web accounts that share a password with their email accounts, and to choose a new, unique phrase for each separate account. Cluley noted in the sub-headline of his post, "Password reuse has never been a worse idea."
"Now's a good time to look into a password manager, which can help you create strong, hard-to-guess passwords," Tom's Guide writer Henry Casey said in a news article today. "And of course, do your best to avoid opening suspicious-looking emails, especially those that look like invoices for services you don't pay for."