September 1, 2017 By Mark Samuels 2 min read

A malware researcher recently uncovered a spamming operation that led to a massive data breach of more than 711 million email addresses.

Paris-based security expert Benkow found an open and accessible web server that was hosted on a spambot in the Netherlands. According to Benkow’s blog post, the server, known as Onliner, has been used to distribute spam and Trojans.

Inside the Spamming Operation

The Onliner web server is home to a range of text files that contain batches of email addresses and passwords. These credentials are the keys to success for the spamming operation, which aims to circumnavigate spam filters by distributing email via authentic servers.

Onliner is being used to push the Ursnif banking malware to inboxes around the world. The Ursnif Trojan provides a means for fraudsters to collect sensitive data, including usernames, passwords and credit card information.

According to the BBC, the spamming operation appears to be the biggest of its kind ever found. The potential ramifications are also significant: Benkow told ZDNet that the distribution of the Ursnif Trojan has led to over 100,000 unique infections globally.

What Information Was Exposed?

About 80 million valid credentials were discovered in the online directory, according to the researcher’s blog. These legitimate email addresses — and their servers — allowed attackers to bypass antispam measures and send spam to the remaining 630 million accounts.

The list includes email addresses that seem to have been taken from other data breaches, such as those associated with LinkedIn, MySpace and Dropbox, The Hacker News reported. Benkow also found a list of almost 2 million email addresses that appeared to stem from a Facebook phishing campaign.

In a blog post, technology expert Troy Hunt noted the size of the data breach. Hunt, who runs the breach notification site Have I Been Pwned?, said the “mind-boggling amount of data” is the largest he has ever uploaded to his service. He noted that the 711 million records are almost the equivalent of an email address for every man, woman and child in Europe.

Reducing the Risk of a Data Breach

The origins of Onliner remain unclear, but the potential risk is obvious. The database is stored without any access controls, meaning the data is publicly available to anyone without the use of a password.

Individuals can use Have I Been Pwned? to check whether their email address is included in the service records. Affected individuals should change passwords for their email addresses and all other accounts that use a similar string, reported Graham Cluley. Users can also protect their accounts with two-factor authentication when the option is available.

The risk of data exposure is rising. More than 6 billion records were exposed through 2,227 publicly disclosed data breaches in the first half of 2017, according to research from Risk Based Security. The number of records exposed during the first half of this year is already higher than the previous all-time high at the end of 2016.

While users must act cautiously, IT managers and security experts should work to reduce the risk of a data breach. Malware researchers need to spend more time investigating the creation and distribution of spambots. He pointed to the high level of creativity and the potential interaction with other areas of cybercrime.

More from

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

3 min read - Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid. Governor Dan McKee, addressing the media, called the attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today