711 million email addresses are in the target eye of Onliner spambot

Onliner spambot spreads Ursnif banking malware

French security researcher Bekanow discovered probably the biggest spambot in the whole spam history. Known as Onliner malware, the spambot includes 711 million email addresses and actively spreads phishing emails that contain Ursnif banking malware.

The spambot was discovered on an open server hosted in Netherlands.^[1] Discovered data includes 40 GB of emails, passwords in text files and SMTP configurations. One part of the data is unorganized email addresses used for spreading spam.

Another part of the data includes emails and passwords that are used in order to attack SMPT server and spread the spam. The logic is simple, the more SMTP servers attackers can find, the bigger distribution campaign they can launch.

The spambot has 80 million accounts of the dumped data that include complete full credentials.^[2] That means these accounts are used for spreading malicious emails to the rest of 711 million email addresses. The big amount of these emails are collected from massive data leaks. However, it’s unclear how spambot managed to collect so many credentials.

The Onliner spambot became famous in 2016 for spreading Ursnif malware

Back in 2016, The Onliner malware spambot was noticed spreading the same banking Trojan as it spreads right now – Ursnif. During its activity, the spambot was noticed targeting specific countries and specific business sectors.

According to Bekanow, ^[3] it’s unknown how malware managed to create such a massive database. It is assumed that it might be related to huge LinkedIn ^[4] and Badoo data leaks, Facebook phishing campaigns or usage of data stealing malware, such as Pony.

This cyber threat targets Windows OS only. Any reports about the Ursnif attack were reported on Android or iPhone devices.^[5]

The banking Trojan spreads in via phishing emails that include a malicious email attachment. Once users open such email, malware is dropped and executed on the computer. Then, malware affects some legitimate system processes and connects to its Command and Control (C&C) and executed received commands.

The Ursnif malware is designed to steal banking details, credit card information, credentials and might work as a keylogger.

Phishing emails can bypass spam filters

This phishing attack is significant not only for its size but significant features as well. These spam emails are designed to bypass security filters. Therefore, users who do not check senders email address might be easily tricked to open a malicious email attachment.

There’s no doubt that cyber criminals use advanced social engineering tactics to spread convincing emails and reach their victims. Finding an email in spam folder might raise suspicions that this email might be a hoax. However, bypassing spam filters gives this malware easier access to potential victims.

For this reason, users are advised to be even more careful with received emails. The distribution rate of the banking trojan is enormous, and the consequences of the opening an obfuscated file are hazardous. One unintentional click might lead to money or data loss.

Computer users who use weak passwords might soon expect to see a hazardous email in their inbox. Those, who use strong and unique passwords should not worry about it. However, if your passwords include the name of the cat and your birthday, it’s time to generate an unbreakable one.