A security researcher has discovered a spambot using more than 711 million compromised email accounts to spread data-stealing malware
A Paris-based security researcher using the handle Benkow has discovered the largest known cache of email addresses and passwords being used to bypass email filters.
The 711,477,622 email addresses and passwords were found on a server in the Netherlands. “Thanks to an open directory on the web server of the Onliner Spambot CNC [command and control], I was able to grab all the spamming data,” said Benkow in a blog post.
This spambot has been in use since at least 2016 to spread a banking trojan called Ursnif, he said, adding that this spambot typically targets specific countries or specific business types such as hotels.
Ursnif, also known as Gozi, is a banking Trojan that allows attackers to steal browsing data such as banking and credit card information, acquire passwords via screenshots and keylogging, execute arbitrary second payloads, infect additional files to further victimise other machines, and communicate peer-to-peer between different Ursnif instances in the same network, according to PaloAlto Networks.
Troy Hunt, who runs the HaveIBeenPwned website, said this is the largest list of compromised email accounts added to the website to date, and far outstrips the previous record of 393 million records that belonged to River City Media. “Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe,” he wrote in a blog post.