Another day, another security breach. Yet, the Onliner Spambot dump is slightly different to others: it contains over 700 million email addresses and passwords. As such, it is the largest leak to date.
Onliner Spambot Password Dump
The Onliner Spambot dump is a significant haul in a year that has already seen several massive data breaches. These breaches, including River City Media, Verizon, Lynda, Deep Root Analytics, Edmodo, and Atlassian HipChat, are minute compared to the combined weight of the Onliner Spambot leak.
Onliner Spambot was uncovered by Benkow mo?u?q, a security researcher based in France. The spambot has collected over 700 million individual email addresses, passwords, and email servers, all used to send spam. The spambot is primarily used to deliver the Ursnif banking trojan to unsuspecting users. Benkow estimates over 100,000 unique systems have been infected around the world.
The Ursnif trojan steals data, such as login credentials, banking and credit card data, passwords, and more. However, what sets Onliner apart from other spambots is the sophisticated delivery method.
The “standard” method of delivery — a spam email containing a dropper file — is relatively easy to combat. Spam filters are getting smarter, and domains found to send spam are easily blacklisted.
Instead, Onliner scraped email server credentials from existing data breaches, collating an enormous, 80 million-strong list of valid accounts to send spam from. Therefore, the spam appears to originate from a legitimate email account, avoiding any spam filters.
“To send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it. And it’s the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign”
Next, instead of bombarding potential victims, the spambot sends a single email containing a single-pixel fingerprinting image. When the email is open, the pixel image sends back important user information, such as IP address, user-agent details, and more. This helps the attackers know which computers to target — specifically seeking Windows systems — instead of a more general spray-gun approach.
According to Troy Hunt, creator of Have I Been Pwned?, only 27% of the email address already existed in the HIBP database. That means some 519 million individual email address and password combinations are now compromised. In a blog post, Hunt also pointed out that 711 million is basically the entire population of Europe — a serious amount of compromised addresses.
So, what can you do?
First, head to Have I Been Pwned? and enter your email address(es) into the search bar. It takes a few seconds, and you’ll immediately discover if your address and password have been compromised. And that’s not only for the Onliner spambot. If your address leaked during any other data breach (contained in the database), you will find out.
If compromised, you need to begin the reset process for any services using that email address. It is important to remember as many accounts as possible, but I understand that is difficult. Start by changing any linked to sensitive information: accounts holding financial data, debit and credit cards, and so on.
Next, start using two-factor verification on all of your accounts, and seriously consider using a password manager to keep track of and to secure your passwords.
Once your address and password is out there, it won’t disappear. But you can mitigate the potential effects.
Have you been pwned? Did you realize that more than one account is compromised? What is your favorite password manager? Let us know your thoughts on data breaches below!
Image Credit: elwynn via Shutterstock.com