Giant spambot scooped up 711 million email addressesSeptember 1, 2017
A malware researcher has discovered a spamming operation that has been drawing on a list of 711.5 million email addresses.
The scale of the scheme appears to make it the biggest find of its kind.
The addresses – and in some cases associated passwords – have apparently been gathered to help spread banking malware.
Members of the public can check if their accounts have been affected via the Have I Been Pwned service.
Its operator, Troy Hunt, acknowledged that some of the listed addresses corresponded to non-existent accounts.
But he added that the number that had been collated still totalled a “mind-boggling amount”.
The Spambot discovery was first flagged by a Paris-based security expert who calls himself Benkow.
It was then brought to wider attention by the ZDnet news site.
The database of 711 million user details can be divided in two.
In cases where the attackers know only an email address, they can only target the owner with spam in the hope of tricking them into revealing more information.
But in cases where they also have the user’s login password and other details, they can secretly hijack their accounts to aid their campaign via a spambot known as Onliner.
- Why do we call unwanted emails spam?
- Guardian Soulmates users hit with spam
- Onecom fined for millions of spam texts
Benkow acknowledged that it was “difficult to know where [the] credentials had come from”, but suggested that they might have been gathered from previous leaks, a Facebook phishing campaign and illegal sales of hacking victims’ details.
In some cases, the perpetrators had gathered details of the accounts’ simple mail transfer protocol (SMTP) server and port settings.
This information could be used to fool email providers’ spam-detecting systems into letting messages through that might otherwise have been blocked.
“While the list of mailable addresses is quite large, it is probably no larger than any seen previously,” Richard Cox, former chief information officer of the Spamhaus project, told the BBC.
“The lists of compromised accounts are more worrying.
“When compromised accounts are used for spam, they can only be stopped by their providers suspending the account – but when that many are involved, it will severely overload the security/abuse departments of those providers, making it a slow process and that is what keeps the spam flowing.”
Benkow added that the Onliner spambot had been hiding tiny pixel-sized images in the emails it had sent out, which were used to harvest information about recipients’ computers.
This meant that the right kinds of malware attachments required to infect different types of devices could be included when follow-up messages masquerading as business invoices were delivered.
Mr Hunt said that the Spambot lists had been tracked to a Netherlands-based computer server, but it had yet to be shut down.
For now, affected users are able to check only if their email addresses have been targeted, but not if their accounts have been hijacked.
But Benkow told the BBC there were still protective steps affected users could take.
“I recommend you to change your password, and be more vigilant with the emails that you receive, now you know that you’re on malware deliverers’ lists,” he said.