A spambot list containing 711 million unique email addresses together with their corresponding passwords was uncovered by a Paris-based security researcher last week.
According to reports from ZDNet, the security researcher that goes by the pseudonym Benkow moʞuƎq found dozens of text files stored in an open and accessible web server located in the Netherlands. Upon further investigation, the text files appeared to be a huge batch of emails and passwords as a spambot list used to send spam.Watch out! 711 million credentials found to be compromised! #OnlineSecuriyClick To Tweet
A review of the spambot list, known as Onliner Spambot, showed that it contains millions of email addresses, passwords, and email servers which are all crucial for the spammer’s large-scale malware campaign.
— Benkow moʞuƎq (@benkow_) August 29, 2017
In a blog post published by Troy Hunt, the person behind the breach notification site Have I Been Pwned, he explained that Benkow contacted him last week about the spambot list. Since then, they have worked together to investigate the situation.
Processing the largest list of data ever seen in @haveibeenpwned courtesy of a nasty spambot. I'm in there, you probably are too.
— Troy Hunt (@troyhunt) August 28, 2017
The Spambot List and its Purpose
What is a spambot?
There are plenty of ways for a cyber crook to send spam over the internet. However, what is considered to be the most brutal of them all is malware spamming. For an attacker to execute malware spamming, he needs to create or buy a specific malware required to infiltrate servers or computers and send the spam.
In essence, the higher the number of computers infected, the more the attacker can distribute the spam through various IPs. However, this is not enough to execute a malware campaign according to Benkow. In his blog, Benkow explained:
“A random pwned Windows machine is not enough to send spam. For that, the attacker needs some email server (SMTP) credentials. This is where you can be concerned by Spambot.
Indeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it. And it’s the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign.”
There are two important classes of credentials needed in malware spamming: email addresses and email addresses with passwords.
The first class pertains to masses and masses of email addresses used to deliver spam. In some cases, a single text file may contain thousands or even hundreds of millions of addresses.
The second class, which refers to the email addresses and passwords, according to Benkow are used in an attempt to abuse the owners’ SMTP server in order to deliver spam.
While spamming is considered one of the most effective ways of spreading malware, layers of online security made it hard for attackers to carry out malware campaigns. Add to that the smart ways threat analysts track and shut down domains found to have sent spam.
However, the Onliner holding the spambot list uses a sophisticated setup that can bypass and infiltrate spam filters.
Obtaining the Spambot List and Executing the Malware Spamming
How could a spammer obtain such massive list of information?
Apparently, the credentials found on the spambot list have been scraped and collated from other data breaches such as the LinkedIn hack in 2012 and the Badoo hack in 2016. Add to that the other information acquired from unknown resources.
The LinkedIn hack compromised 167 million accounts, and according to Hunt, the data can be obtained in a Tor-based trading site for only 5 bitcoins or over $2,000 USD. On the other hand, the Badoo hack allegedly compromised around 57 million unique email addresses and passwords mostly related to companies such as Google, Twitter, and Apple.
The Onliner Spambot list has about 80 million accounts with each line containing an email address and password, together with the SMTP server and the port used to send the email.
Hunt explained that the attacker tests each account by connecting to the server and confirming if the credentials are still valid or not. All invalid accounts will be ignored.
The remaining accounts from the 80 million will be used to send the remaining 630 million target emails, designed to scout the victim or commonly known as ‘fingerprinting‘ emails.
What is Fingerprinting Spam?
According to Benkow, before starting a malware campaign, the attacker uses a spambot to send fingerprinting emails. The email looks legitimate but inside, a hidden 1×1 gif is attached.
“Indeed, when you open this random spam, a request with your IP and your User-Agent will be sent to the server that hosts the gif. With this information, the spammer is able to know when you have opened the email, from where and on which device (iPhone ? Outlook?…). At the same time, the request also allows the attacker to know that the email is valid and people actually open spams :),” Benkow further explained.
Apparently, this method helps narrow down the key targets and is significant to the success of the malware campaign.
Benkow went on to say that an attacker could send millions of fingerprinting spam emails “and get a fraction of emails back, but still have enough responses to send out a second batch of a few thousand targeted emails with malware.”
Hunt said that 27 percent of the email addresses were already uploaded to Have I Been Pwned. However, he noted that since the spambot list has been scraped from the web, some of the data is corrupted. It appears that while 711 million is an accurate figure, the number of affected people might be less.