The biggest Spambot that contained more than 711 million email accounts has been found on a server in the Netherlands. This is most likely the greatest dump that we have ever experienced globally.
Troy Hunt was the first to raise the alarm over the data dump, and reported it to be the largest ever single dataset being loaded into HIBP. The app is called Onliner, and it is one of the biggest ever online malware. This is double the size of the River City Media breach earlier this year with 393 million records.
Hunt said: “A random selection of a dozen different email addresses checked against HIBP showed that every single one of them was in the LinkedIn data breach. Now this is interesting because assuming that’s the source, all those passwords were exposed as SHA1 hashes (no salt) so it’s quite possible these are just a small sample of the 164m addresses that were in there and had readily crackable passwords.”
The Onliner is used as a way to deliver the banking malware Ursnif, which is capable of infecting Windows computers, and also capable of bypassing spam filters. Once Ursnif emails land in the inbox, they are pretty troublesome, as they infect PCs once the attachment is downloaded, and eventually steal bank log-in credentials and various passwords, and even act as a keylogger. They later pump out spam messages used by online scammers.
Benkow, a Security Researcher, detailed the spambot in a blog post. The emails appear to be normal, and they contain a pixel-sized image that is almost negligible. Once the email is accessed, the image sends back the user’s IP address and information to decide which targets should be attacked, and the attacker sends out another batch of emails with Ursnif.
Further, it is to be noted that not all 711 million email addresses are linked to real accounts. A few of them are collected from previous breaches and few email addresses are repeated.
Nevertheless, users are requested to change their passwords into stronger ones. Here’s an article on what is now accepted as the most secure approach to creating passwords:
Hunt reported that he and Benkow are in touch with the source, who is, in turn, communicating with law enforcement authorities to shut down the IP address ASAP.