Breach, Threat Management, Data Security, Malware, Phishing, Threat Management

Spambot weaponizes 711M accounts to spread Ursnif malware

A Paris-based security researcher, by the pseudonym Benkow spotted a massive spambot, dubbed Onliner, weaponizing 711 million email and server accounts to distribute phishing emails laced with malware looking to steal user data.

Benkow discovered the spambot on an open and accessible web server hosted in the Netherlands, that was being used to store dozens of text files containing the email addresses, passwords, and email servers used to send spam messages.

The spambot was collecting stolen email credentials and server login info stemming from previous data breaches, such as the LinkedIn and Badoo hacks, as well also other unknown sources in order to send the emails through “legitimate servers” in an attempt to circumvent spam filters, according to a ZDNet report.

The spambot used 80 million of the compromised email servers to send spam emails to the remaining 630 million targets emails to “fingerprint” potential victims to find ones that were using Windows computers to ultimately spread Ursnif malware, iPhone or Android users aren't affected by the malware.

The malware arrives as an attachment via malicious email which then drops component files onto infected systems and creates auto start registries to ensure automatic execution startup. The attachment then injects itself into certain processes and infects files with certain extensions and of certain types. Finally the malware grabs the system's information and sends it to a Control and Command server.

Campaigns like this which are designed to bypass spam filters and spoof legitimate sources are without a doubt more effective than traditional phishing attacks, Bitglass Product Manager Salim Hafid told SC Media.

“These targeted attacks, where malware is delivered to millions of individuals, can spread at higher rates and yield more information,” Hafid said.

Benkow and independent researcher Troy Hunt have been in touch with a trusted source in the Netherlands who is communicating with law enforcement in an attempt to shut down the command and control server, Hunt said in an Aug 30, blog post.

The spambot is a reminder that data breaches don't end after the public disclosure, Cylance Senior Research Scientist Jim Walter told SC Media.

“Leaked/breached data can continue to live on and be used, reused, sold, re-sold, etc. for purposes just as described here,” Walter said. “Any organization that is not aware of and closely following OSINT specific to their company/brand/intellectual property/etc. is bound to fall victim to continued use of their data or infrastructure for ongoing malicious activity.”

Walter added the real takeaway from the scenario should be to educate and remind everyone of the permanence of leaked data and of the need to not only defend your organization, but also monitor the ‘ether' for continued misuse of data and resources.

One researcher pointed out the situation is unsettling as it demonstrates how cybercriminals aren't protecting user stolen user data.  

“Some may think the bad guy has no motivation to protect our data, but they do,” STEALTHbits Technologies researcher Jonathan Sander told SC Media. “The amount and how well enriched their data set is becomes their competitive advantage in a crowded black market.”

Similar to  how people like using Google more than other search engines because of the platform's huge reach, the black market has brands that stake their reputation on having the biggest database of quality, stolen data, Sander said adding that it's disheartening that criminals would fail to secure the ill-gotten goods.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.