A malware researcher recently uncovered a spamming operation that led to a massive data breach of more than 711 million email addresses.
Paris-based security expert Benkow found an open and accessible web server that was hosted on a spambot in the Netherlands. According to Benkow’s blog post, the server, known as Onliner, has been used to distribute spam and Trojans.
Inside the Spamming Operation
The Onliner web server is home to a range of text files that contain batches of email addresses and passwords. These credentials are the keys to success for the spamming operation, which aims to circumnavigate spam filters by distributing email via authentic servers.
Onliner is being used to push the Ursnif banking malware to inboxes around the world. The Ursnif Trojan provides a means for fraudsters to collect sensitive data, including usernames, passwords and credit card information.
According to the BBC, the spamming operation appears to be the biggest of its kind ever found. The potential ramifications are also significant: Benkow told ZDNet that the distribution of the Ursnif Trojan has led to over 100,000 unique infections globally.
What Information Was Exposed?
About 80 million valid credentials were discovered in the online directory, according to the researcher’s blog. These legitimate email addresses — and their servers — allowed attackers to bypass antispam measures and send spam to the remaining 630 million accounts.
The list includes email addresses that seem to have been taken from other data breaches, such as those associated with LinkedIn, MySpace and Dropbox, The Hacker News reported. Benkow also found a list of almost 2 million email addresses that appeared to stem from a Facebook phishing campaign.
In a blog post, technology expert Troy Hunt noted the size of the data breach. Hunt, who runs the breach notification site Have I Been Pwned?, said the “mind-boggling amount of data” is the largest he has ever uploaded to his service. He noted that the 711 million records are almost the equivalent of an email address for every man, woman and child in Europe.
Reducing the Risk of a Data Breach
The origins of Onliner remain unclear, but the potential risk is obvious. The database is stored without any access controls, meaning the data is publicly available to anyone without the use of a password.
Individuals can use Have I Been Pwned? to check whether their email address is included in the service records. Affected individuals should change passwords for their email addresses and all other accounts that use a similar string, reported Graham Cluley. Users can also protect their accounts with two-factor authentication when the option is available.
The risk of data exposure is rising. More than 6 billion records were exposed through 2,227 publicly disclosed data breaches in the first half of 2017, according to research from Risk Based Security. The number of records exposed during the first half of this year is already higher than the previous all-time high at the end of 2016.
While users must act cautiously, IT managers and security experts should work to reduce the risk of a data breach. Malware researchers need to spend more time investigating the creation and distribution of spambots. He pointed to the high level of creativity and the potential interaction with other areas of cybercrime.