A new spambot called Onliner has been discovered which can bypass spam filters and target 711 million email addresses, as noted by ZDNet. Onliner is used to send the banking malware Ursnif to vulnerable Windows computers. The trojan then steals passwords, credit card details, and other personal information by tricking a user into open an attachment on the email which causes the malware to download, infecting the computer. The emails can been seen disguised as invoices from government bodies, hotel reservation details, and DHL notifications.
The discovery was made when a security researcher known as Benkow uncovered an open web directory on a web server used by Onliner. Onliner takes advantage of credentials harvested from other security breaches, including the LinkedIn hack from 2012, phishing campaigns, and other sources.
To send spam, Benkow explains in a blog post that a large number of legitimate SMTP (Simple Mail Transfer Protocol) credentials are needed to trick servers into thinking the spam messages are legitimate emails. Benkow was able to grab about 40GBs of the spamming data comprised of email addresses, passwords in clear text, and configuration files. “The more SMTP servers he can find, the more he can distribute the campaign,” Benkow wrote about the spammers. Onliner has the required details for about 80 million accounts which are then used to spam the remaining 630 million email addresses.
Ursnif malware only works on Windows computers. In order to target specific types of computers, the spammer first sends out ‘fingerprinting’ emails though Onliner. Those contain a one pixel GIF. When the email is opened, a request with the target’s IP address and other details are sent to the server that hosts the GIF, enabling the spammer to access that information. The spammer can then decide whether or not to send another email with the malware attached.
Over 100,000 infections have been recorded globally, Benkow told ZDNet. If you want to know if your email has been affected, you can do a search through Have I Been Pwned.
It’s worth repeating that you should never reuse passwords after so many high profile security breaches. And with password managers available both free and paid, you can now easily manage dozens of passwords across your devices.