Massive ‘Onliner’ Spambot Holds 711 Million Email Addresses

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Security researchers have uncovered one of the largest single spambots ever seen, loaded with 711 million email records.

The so-called 'Onliner' spambot was discovered by researcher 'Benkow' who claimed it has been in use since at least 2016, spreading a banking trojan called Ursnif.

It contains around 50GB of emails, credentials and SMTP configuration files, he explained in a blog post.

“I have seen this spambot targeting specific countries like Italy, or specific business like hotels,” said Benkow.

Troy Hunt, owner of the HaveIBeenPwned site, claimed it was the “largest single set of data I've ever loaded into HIBP.”

The trove was found on a Dutch server, with law enforcers in the country contacted to shut it down ASAP, he added.

Crucially, the Onliner campaign doesn’t just use email addresses, but also a smaller trove of 80 million SMTP credentials to authenticate and help bypass anti-spam filters.

“It's difficult to know where those lists of credentials came from. I have obviously seen a lot of public leaks (like Linkedin, Baidu or with every passwords in clear text) but credentials can also come from phishing campaigns, credentials stealer malwares like Pony, or they can also be found in a shop,” explained Benkow.

“Somebody even showed me a spambot with a SQL injection scanner which scans the internet, looks for SQLi, retrieves SQL tables with names like ‘user’ or ‘admin’.”

Not only is the campaign designed to evade spam filters but it also uses 'fingerprinting' techniques to identify victims running the right kind of systems that Ursnif can target, he added.

That raises the spammer’s chances of success whilst keeping his activities largely hidden from law enforcement.

As for the email addresses, the 711 million figure may be somewhat misleading as much of it has been scraped from the web with poor parsing.

“The point here is that there's going to be a bunch of addresses here that simply aren't very well-formed so whilst the ‘711 million’ headline is technically accurate, the number of real humans in the data is going to be somewhat less,” said Hunt.

“Our email addresses are a simple commodity that's shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth. That, unfortunately, is life on the web today.”
 

oneeye

Level 4
Verified
Jul 14, 2014
174
Security researchers have uncovered one of the largest single spambots ever seen, loaded with 711 million email records.

The so-called 'Onliner' spambot was discovered by researcher 'Benkow' who claimed it has been in use since at least 2016, spreading a banking trojan called Ursnif.

It contains around 50GB of emails, credentials and SMTP configuration files, he explained in a blog post.

“I have seen this spambot targeting specific countries like Italy, or specific business like hotels,” said Benkow.

Troy Hunt, owner of the HaveIBeenPwned site, claimed it was the “largest single set of data I've ever loaded into HIBP.”

Here is a good write up by Troy Hunt, and what he did with this data. He's putting alot of work into this, and explains in detail why you can't just get any passwords that might be associated with the email addresses. But he did create a new list of just those passwords, for a very specific reason. Which is very unique. Here is the link, and be sure to listen to his latest podcast for a followup.
Inside the Massive 711 Million Record Onliner Spambot Dump
 

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
Yep, i was one of those people, but took action immediately upon receiving an email from "have i been pawned" Better to be safe than sorry i suppose.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top