An unprecedentedly massive spambot has managed to compromise the login credentials of over 711 million people worldwide.
Onliner Spambot and Why Spam Emails are Anything but a Thing of the Past
A security researcher based in Paris and going by the pseudonymous handle of Benkow was able to spot a freely accessible web server hosted and located in the Netherlands. The web server is said to be storing a good number of text files containing a huge batch of email addresses, passwords, and email servers used to distribute spam.
Having managed to harvest the enormous number of email credentials which are crucial for the spammer’s large-scale malware operation, in effect, it has become increasingly most likely and easier for the spammer to bypass spam filters by sending spam email via legitimate email servers. Attackers have utilized the Onliner spambot for it to deliver the Ursnif banking malware into inboxes on a worldwide scale. The victim toll is estimated to be over the 100,000 mark, all consisting of unique user infections across the world.
The Ursnif malware thoroughly analyzed and picked apart by Benkow over the course of many months, has also aggregated his findings of the Ursnif malware in a blog post. Researchers explain that the malware is a capable trojan used to steal data, personal information such as login details, passwords, as well as credit cards data. In most cases, the procedure of spamming is initiated by sending a “dropper” files as a seemingly normal and benign email attachment. Once the attachment is opened, a connection to the hosting server is made, and the malware is downloaded on the user’s device, resulting in an infection.
Spamming is no less an effective delivery method than any other form of attack. By the same token, however, email filters are getting smarter by the day, with many domains being blacklisted if detected they are sending spam. That is not to say spammers are not adapting to cybersecurity upgrades and changes. Their spammer campaigns have become sophisticated enough to bypass spam filters evidenced by the Onliner spambot.
How does the Onliner Spambot work?
“To send spam, the attacker needs a huge list of SMTP credentials,” stated Benkow in his blog post outlining the spamming process employed in the latest campaign. Hence, the credentials authenticate the spammer to send and distribute what appears to be a legitimate email. He went on to elaborate that “the more SMTP servers he can find, the more he can distribute the campaign.”
Benkow explained that hose credentials have been obtained and collated from numerous other data breaches as in the likes of the LinkedIn hack and the Badoo hack. Other unknown sources should not be excluded from the equation. There are about 80 million accounts stored on that list, with each line containing the email address and password, accompanied by the SMTP server and the port used to send the email. The spammer will then test each entry by establishing a connection to the server to ensure the credentials are valid and that the spam can be sent, ignoring the accounts that that do not work. Following from there, the 80 million email servers initially exploited by the spammer are used to redistribute spam emails to the remaining 630 million target emails. Such tactics are designed to scope out the victim in a term coined as “fingerprinting” emails.
The seemingly benign emails contain a hidden pixel-sized image which when the email is opened, the pixel image proceeds to send back the IP address and user-agent information that is used to identify the type of operating system, computer and other information about the user’s device. In essence, this is vital information for the spammer as it helps them to identify who their target is and who to send the Ursnif malware to. It is a basic principle which by specifically selecting who to target, i.e., Windows computers instead of sending the malware to iPhone or Android users, whom, in large respects are unaffected by the malware.