JRB - Fotolia

Spambot email leak compromises 711M records

An email leak containing 711 million records was found in a breach of a spambot list stored in the Netherlands and included both addresses and passwords used to access email accounts.

A security researcher found a massive spambot list of email addresses and passwords and said it is a sign that there needs to be more awareness around spambot businesses.

Benkow, a researcher for network security firm Openminded, based in Paris, said in a blog post that he had been tracking the Onliner spambot since 2016 before finding the email leak containing 711 million records on an open directory on the web server of the Onliner Spambot CNC. Benkow said the spambot email leak included address and password pairs in plain text, spambot configuration files and the spambot list.

Without the correct tools to process a text file so big, Benkow at first estimated the spambot email leak contained about 80 million records. However, after sharing the data with security researcher Troy Hunt, Hunt sorted the data to find 711 million records, which he said "makes it the largest single set of data I've ever loaded into [Have I Been Pwned]. Just for a sense of scale, that's almost one address for every single man, woman and child in all of Europe."

Hunt's analysis of the spambot email leak uncovered his own email address in the list, as well as addresses from around the world. He also checked a random selection of a dozen different email addresses against Have I Been Pwned and found that "every single one of them was in the LinkedIn data breach."

"Our email addresses are a simple commodity that's shared and traded with reckless abandon, used by unscrupulous parties to bombard us with everything from Viagra offers to promises of Nigerian prince wealth," Hunt concluded. "That, unfortunately, is life on the web today."

The process behind the spambot email list

Benkow wrote in his blog post that spambots need to be more complex these days because of the various antispam products on the market, so spammers will hack websites with known vulnerabilities or use malware to gather credentials.

Benkow said the Onliner spambot used a banking Trojan called Ursnif, which would infect machines then launch two modules -- one to create the list of credentials and one to send spam using those credentials to avoid spam filters.

"Spambots are often ignored by researchers, and I don't understand why. In a successful cybercrime campaign there are different parts, the final payload is important but the spam process is very critical too," Benkow wrote. "If you're a malware researcher, it's time to look deeper in the spambot business. It's a creative market which interacts with a lot of other cybercrime business. Around Spambot you will often find phisher, password stealer botmaster, website scanners, malware developers, dropper developers, payload hosters, and so on."

Our email addresses are a simple commodity that's shared and traded with reckless abandon … That, unfortunately, is life on the web today.
Troy HuntSecurity researcher

Christian Lees, CTO and CSO for InfoArmor, said there were a number of factors to consider with this spambot email leak.

"There is evidence of a significant amount of speculative data, yet also the potential for meaningful amounts of pre-breached data from existing aggregation. Threat actors continue to expand their methods to potentially mainstream or expand their revenue streams," Lees told SearchSecurity. "Continuous large data disclosures of this type, with potentially unverifiable data sources and targets, increase alert fatigue for security professionals. Also, this is another reminder that threat actors also live the dual-edge sword of security."

Jonathan Sander, CTO at STEALTHbits Technologies Inc., based in Hawthorne, N.J., said the scariest part of the spambot email leak was "seeing how much data the bad guys have and how little they are doing to protect it."

"Some may think the bad guy has no motivation to protect our data, but they do. The amount and how well enriched their data set is becomes their competitive advantage in a crowded black market. Just like people using Google more than other search engines because of their huge reach, the black market has brands that stake their reputation on having the biggest database of quality, stolen data," Sander told SearchSecurity. "To see that, even with such financial motivation, they are failing to secure their ill-gotten goods is disheartening."

Experts remind users of the dangers of password reuse

A number of experts focused on the Onliner spambot's use of login credentials stolen from various services in order to access web-based email accounts and send more spam.

Gaurav Banga, founder and CEO at Balbix, said password reuse is a major issue from any email leak.

"From an enterprise perspective, employees often use the same password for sensitive corporate applications and their personal social media accounts. As a result, information such as valuable login credentials can be exposed and compromised when a social platform provider gets hacked," Banga told SearchSecurity. "Enterprises need a way to continuously monitor the risk of credential theft from password sharing between corporate trusted and unknown websites and apps."

Brian Laing, vice president of products and business development at Lastline, said: "Every breach is a reminder of the importance of strong authentication measures in both personal and professional devices, networks and web applications."

"The blurring of personal and professional use of enterprise assets, such as laptops, underscores the criticality of protecting organizations from the network core to the outer edges against advanced persistent threats and evasive malware that could be introduced as a result of an infected personal device targeted as a result of a prior data breach," Laing told SearchSecurity. "Data breaches provide a distribution hub for malware for years to come."

Giovanni Verhaeghe, director of product and market strategy at Vasco Data Security, said breaches like this "highlight, once again, the importance of education when it comes to password management and password use."

"Resetting compromised passwords can be a good first step, but the breach had little to do with the passwords that were used. It was a result of the ease with which they can be accessed from the outside," Verhaeghe told SearchSecurity. "The burden of responsibility lies heavily on organizations, and how much they invest in securing the information users share with them will make a huge difference to user confidence."

Next Steps

Learn why data at rest security rises in an era of increasing cybercrime

Find out how password management tools can open partner opportunities

Get info on biometric authentication methods and systems

Dig Deeper on Threats and vulnerabilities