Spambot Contains ‘Mind-Boggling’ Amount of Email, SMTP Credentials

Researchers accessed the Onliner spambot and found 711 million records, including email addresses, email and password combinations, and SMTP credentials and configuration files.

Researchers have managed to penetrate a spam bot and uncover a massive list of 711 million records that includes email addresses, email and password combinations (some in cleartext), and SMTP credentials and configuration files.

Troy Hunt who runs the Have I Been Pwned service called it a “mind-boggling amount of data.”

“Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe,” Hunt wrote in an analysis of the data.

The spambot is called Onliner and it’s been around since 2016 and is best known for spreading the Ursnif banking Trojan. A researcher known as Benkow has studied and reported on Onliner for months; he found an open directory in an Onliner server hosted in the Netherlands and was able to grab more than 50 GB of data likely culled from the multitude of breaches and data dumps reported last year.

Hunt said that as of yesterday, the server was still up and running and law enforcement had been notified.

Benkow, meanwhile, said he found 80 million credentials among the data, though he added it’s near impossible to determine where they all came from. He was able to determine that about two million came from a Facebook phishing campaign, and that none of those addresses were yet listed on Have I Been Pwned. Hunt’s site is a free resource where users may enter an email address and learn whether it has been part of a publicly known breach.

More than one billion records containing personal information, including email addresses, were exposed in 2016 alone as a rash of leaked data from numerous breaches were put up for sale or made available to the public.

“That’s the unfortunate reality for all of us: our email addresses are a simple commodity that’s shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth,” Hunt wrote. “That, unfortunately, is life on the web today.”

Benkow said the SMTP credentials and configuration information is the key to this particular set of data. Antispam solutions, reputation services, and firewall rules have put a dent in spammers’ ability to send unwanted emails the old-fashioned way by scanning the internet for vulnerable SMTP servers running in Open Relay mode or with weak credentials.

Additional steps are required today, generally starting with a website exploit that leads to the compromised site hosting a PHP script used to send email, or malware used to infect computers and send spam. These methods, however, don’t scale well without SMTP credentials, Benkow said.

“Indeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy,” Benkow wrote. “And it’s the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign.”

Ursnif, for example, contains two modules used to send spam and create a list of SMTP credentials. Email addresses and credentials are fed to the module, which tries to send an email using this combination, he said. Any that fail are ignored. The good ones are added to a growing list of usable credentials.

Benkow shared his findings with Hunt who has since made all of it searchable in Have I Been Pwned. Hunt found a lot of overlapping data among the files he analyzed, including some poorly parsed data that indicates that the number of people involved are likely a lot fewer than 711 million. Nonetheless, one file alone contained 1.2 million email addresses and cleartext passwords, many of which are likely from the LinkedIn breach which leaked passwords as SHA1 hashes with no salt. Many of these passwords were likely quite easy to crack, Hunt said.

Another file contained 4.2 million email addresses and passwords and each one, according to Hunt and Have I Been Pwned, were found in a list from the Exploit[.]In underground forum.

Hunt also found in separate files thousands of records containing email addresses, passwords and SMTP server and port designations (25 and 587).

“This immediately illustrates the value of the data: thousands of valid SMTP accounts give the spammer a nice range of mail servers to send their messages from,” Hunt said. “It took HIBP 110 data breaches over a period of 2 and a half years to accumulate 711m addresses and here we go, in one fell swoop, with that many concentrated in a single location. It’s a mind-boggling amount of data.”

Suggested articles