Massive ‘Onliner’ Spambot Holds 711 Million Email Addresses

Written by

Security researchers have uncovered one of the largest single spambots ever seen, loaded with 711 million email records.

The so-called 'Onliner' spambot was discovered by researcher 'Benkow' who claimed it has been in use since at least 2016, spreading a banking trojan called Ursnif.

It contains around 50GB of emails, credentials and SMTP configuration files, he explained in a blog post.

“I have seen this spambot targeting specific countries like Italy, or specific business like hotels,” said Benkow.

Troy Hunt, owner of the HaveIBeenPwned site, claimed it was the “largest single set of data I've ever loaded into HIBP.”

The trove was found on a Dutch server, with law enforcers in the country contacted to shut it down ASAP, he added.

Crucially, the Onliner campaign doesn’t just use email addresses, but also a smaller trove of 80 million SMTP credentials to authenticate and help bypass anti-spam filters.

“It's difficult to know where those lists of credentials came from. I have obviously seen a lot of public leaks (like Linkedin, Baidu or with every passwords in clear text) but credentials can also come from phishing campaigns, credentials stealer malwares like Pony, or they can also be found in a shop,” explained Benkow.

“Somebody even showed me a spambot with a SQL injection scanner which scans the internet, looks for SQLi, retrieves SQL tables with names like ‘user’ or ‘admin’.”

Not only is the campaign designed to evade spam filters but it also uses 'fingerprinting' techniques to identify victims running the right kind of systems that Ursnif can target, he added.

That raises the spammer’s chances of success whilst keeping his activities largely hidden from law enforcement.

As for the email addresses, the 711 million figure may be somewhat misleading as much of it has been scraped from the web with poor parsing.

“The point here is that there's going to be a bunch of addresses here that simply aren't very well-formed so whilst the ‘711 million’ headline is technically accurate, the number of real humans in the data is going to be somewhat less,” said Hunt.

“Our email addresses are a simple commodity that's shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth. That, unfortunately, is life on the web today.”

What’s hot on Infosecurity Magazine?