A huge spam onslaught is expected following the discovery of an unknown hacker's spambot.
An open and accessible server has been raided by an unknown hacker, who has garnered up to 711 million email accounts.
A security researcher operating under the pseudonym Benkow was first to pick up on the breach, and soon alerted the attention of Troy Hunt, the well-known Australian security expert behind Have I Been Pwned? – a huge search database that allows users to find out if any of their accounts have been compromised in a data breach.
ZDNet reported that the spambot had collated “email credentials” and “server login information” that would permit the perpetrator to send spam through “legitimate” servers, rendering many spam filters obsolete.
The spambot has been dubbed “Onliner”, and it uses a Netherlands-based open server to deliver the Ursnif malware into mailboxes worldwide. Ursnif is notorious for its capacity to steal large amounts of data from software and browsers, with the banking industry particularly at risk of attack. “Onliner” has apprehended 711 million SMPT credentials – email addresses, passwords, and email serves – of which 80 million have been tested for validity and used to target the remaining 631 million accounts, with a view to bypassing anti-spam software.
The emails in question purportedly contained a 1x1 pixel GIF, invisible to the naked eye. When users open the spam, Benkow warns, “a request with your IP and your User-Agent will be sent to the server that hosts the GIF”. This information unlocks all the spammer needs to comprehend, firstly that the user has opened the email, secondly where the user has opened the email, and thirdly on which device the user has opened the email. That’s a hell of a lot of information spawned from one measly click. The attacker will also receive confirmation that the email address is valid, not to mention the gratification that people – and here Benkow’s tone is one of incredulity – “actually open spams (sic) :)”
Both security experts go on to warn against the dangers of phishing, with Hunt stressing that the volume of data involved in the breach is “mind-boggling”.
In the meantime, if you want to check your accounts, Hunt has announced that Have I Been Pwned? has now incorporated the email addresses listed on the vulnerable server on its search database. According to Hunt, it’s largest data set ever loaded into the site’s database.