Hacker gathers 711 million email accounts, spam onslaught expected
An open and accessible server in the Netherlands has been raided by an unknown hacker, who has garnered up to 711 million email accounts. The duplicitous endeavour was initially flagged up by ZDNet, who reported that the spambot had collated “email credentials” and “server login information” that would permit the perpetrator to send spam through “legitimate” servers, rendering many spam filters obsolete.
A security researcher operating under the pseudonym Benkow was first to pick up on the breach, and soon alerted the attention of Troy Hunt, the notorious security expert behind Have I Been Pwned? – a huge search database that permits users to find out if any of their accounts have been compromised in a data breach.
The spambot has been dubbed “Onliner”, and it uses the Netherlands-based open server to deliver the Ursnif malware into mailboxes worldwide. Ursnif is notorious for its capacity to steal large amounts of data from software and browsers, with the banking industry particularly at risk of attack. “Onliner” has apprehended 711 million SMPT credentials – email addresses, passwords, and email serves – of which 80 million have been tested for validity and used to target the remaining 631 million accounts, with a view to bypassing anti-spam software.
The emails in question purportedly contained a 1×1 pixel GIF, invisible to the naked eye. When users open the spam, Benkow warns, “a request with your IP and your User-Agent will be sent to the server that hosts the GIF”. This information unlocks all the spammer needs to comprehend, firstly that the user has opened the email, secondly where the user has opened the email, and thirdly on which device the user has opened the email. That’s a hell of a lot of information spawned from one measly click. The attacker will also receive confirmation that the email address is valid, not to mention the gratification that people – and here Benkow’s tone is one of incredulity – “actually open spams (sic) :)”
Both security experts go on to warn against the dangers of phishing, with Hunt stressing that the volume of data involved in the breach is “mind-boggling”. Damn. In the meantime, Hunt has announced that Have I Been Pwned has now incorporated the email addresses listed on the vulnerable server on its search database. If you want to check if any email addresses under your domain have been compromised, head here, stat.