A Paris-based security researcher, going by the pseudonymous handle ‘Benkow’, discovered an open and accessible web server hosted in the Netherlands. The server stores dozens of text files containing a huge batch of email addresses, passwords, and email servers frequently used to send spam.
This nefarious act is actually very smart move by the cyber criminals. The credentials are crucial for the spammer’s large-scale malware operation to bypass spam filters by sending email through legitimate email servers.
‘Onliner’- the spam-bot, is used to send the banking malware ‘Ursnif’ to vulnerable Windows computers. The trojan then steals passwords, credit card details, and other personal information by tricking a user into opening an attachment in the email which causes the malware to download, infecting the computer. The emails have been seen disguised as invoices from government bodies, hotel reservations, and DHL notifications.
A large number of legitimate SMTP (Simple Mail Transfer Protocol) credentials are needed to trick servers into thinking the spam messages are legitimate emails. Therefore, more number of SMTP servers’spammers can find, more easily they can distribute the campaign. ‘Onliner’ has the required details for about 80 million accounts which are then used to spam the remaining 630 million email addresses.
Modus operandi-
These emails appear like another mail in the inbox, but they contain a hidden pixel-sized image. When the email is open, the pixel image sends back the IP address and user-agent information, used to identify the type of computer, operating system, and various device information. That helps the attacker know who to target with the ‘Ursnif’ malware, by specifically targeting Windows computers, rather than sending malicious files to iPhone or Android users, which aren’t affected by the malware. It’s a classic case of targeted attack.
It looks like the credentials have been stored from different breaches over a period time like- the linkedin breach as well as the Badoo Hack. However, the source cannot be claimed with certainty.
Preventive steps
Change your email password as soon as you can and keep that a regular practice to change it in every quarter or so. Be careful of emails you click on.
Use powerful corporate spam filters which blocks the mails for even the slightest of doubt. To know how to qualify or measure the cyber security and what are the best practices in case of emails our experts at Logix can help you.
Logix infosecurity helps in identifying spam mails as well as intruders in your system and take preventive measures. The firewalls are well equipped to keep your organization safe, up and running.