Written byPatrick Howell O'Neill
A trove of 711 million email accounts used by a colossal spam operation was found by a Parisian security researcher this week. The collection, hosted on a publicly accessible server in the Netherlands, includes email addresses, corresponding passwords and servers engineered to help the spam avoid inbox filters.
Uncovered by a pseudonymous researcher named Benkow moʞuƎq and reported by blogger and developer Troy Hunt, the spambot known as “Onliner” marks the largest-ever data set loaded into haveibeenpwned.com, a popular breach notification service operated by Hunt.
Onliner delivers Ursnif banking malware, ZDNet reported, which is responsible in more than 100,000 global infections.
Ursnif is infamous years-old data-stealing malware that has been updated continuously. It’s an evolving threat that can move through numerous attack vectors. In a 2017 report, Palo Alto Networks researchers said “newer versions of the threat allow attackers to steal browsing data such as banking and credit card information, acquire passwords via screenshots and keylogging, execute arbitrary second payloads, infect additional files to further victimize other machines, and communicate peer-to-peer between different Ursnif instances in the same network.”
The 711 million number overstates exactly how many real human beings are affected. Some of the data is repeated or malformed, but the overall haul is still very large.
“The sheer size of the breach is alone a cause for concern, let alone the damage it could cause further down the line,” Brian Laing, vice president at the security firm Lastline, said. “This breach is an example of how hackers merge data from multiple sources, building dossiers on potential victims, including spear phishing targets. In this instance, the majority of the passwords in the latest security breach appear to have been collated from previous leaks, including the 2012 LinkedIn data breach. Every breach reveals data that criminals can use to launch additional attacks, either by the initial attackers or other criminals to whom they sell the compromised data.”
The Onliner’s trove is now searchable in Have I Been Pwned database.