Posted on August 30, 2017 at 11:53 AM
One of the world’s largest spambot has been ensnared by Benkow, a security researcher based in Paris. The pseudonymous handle found an open web server located in the Netherlands which was used in storing text files with tones of email addresses, passwords as well as servers for dispatching spam.
The spammers normally require these credentials for them to breakthrough spam filters and send emails via legitimate servers. “Onliner,” as the spambot is referred to as has been blamed for delivering Ursnif banking malicious code into people’s inboxes across the globe. The latest statistics show that it has caused over 100,000 infections.
“The quantity of this data is mind-boggling,” said Troy Hunt, founder and head of operations at Have I Been Pwned, a breach notification website.
Hunt analyzed these findings in a blog post said that this is the largest breach data that the notification site has ever encountered in its history. He has used a better part of his time to dig up the Ursnif malware that steals personal details including login credentials, credit card data, and passwords.
Spammers all over the world tend to follow a similar pattern when it comes to stealing your details via the mail. They first send out multiple emails to different recipients. These emails are masked such that they appear to be from a genuine organization. Immediately an attachment is opened, it downloads and installs on the machine to infect it.
Spamming still remains a common way of distributing malware throughout the world. Luckily, spam filters are also getting smarter by the day. There are thousands of domains already blacklisted as a result of sending spam.
But “Onliner” remains a hard nut to crack since it makes use of sophisticated setup in order to pass through the filters.
Benkow explains that attackers normally dispatch hundreds of SMTP credentials in their spam sending campaign. The credentials are then used to give authenticity to spammers for them to dispatch a “legitimate email” with malware embedded in it.
“If the SMTP servers are available to him in plenty, the distributed campaign becomes much stronger.” There are different ways of getting these credentials including the Badoo hack and the LinkedIn hack and many other anonymous sources.
There are more than 80 million accounts on the recently exposed spambot. Each of these lines has email addresses, passwords as well as SMTP severe and port for dispatching emails. Each entry is tested by the spammer to ascertain that the logins are correct to send the spam. Those that don’t work are ignored.
The sent emails normally come with pixel sized image. The moment the pixel image is opened, it retrieves the machine’s IP address, operating system, type of computer and other essential details to carry out a remote attack. Windows computers are the most popular targets.
“It’s important for the malware to narrow down victims since the Ursnif malware only affects Windows as opposed to Android or iPhone users,” said Benkow. “This campaign is getting too noisy, similar to Dridex. And is your campaign makes a lot of noise, law enforcement will be on your neck,” he adds.