A malware researcher has discovered a spamming operation that has been drawing on a list of 711.5 million email addresses which have apparently been gathered to help spread banking malware. The spambot has collected millions of email credentials and server login information in order to send spam through "legitimate" servers, defeating many spam filters.
The spambot, dubbed "Onliner," is used to deliver the Ursnif banking malware into inboxes all over the world. This is a data-stealing trojan used to grab personal information such as login details, passwords, and credit card data The Spambot discovery was first flagged by a Paris-based security expert who calls himself Benkow. Benkow acknowledged that it was "difficult to know where [the] credentials had come from", but suggested that they might have been gathered from previous leaks, a Facebook phishing campaign and illegal sales of hacking victims' details.
When compromised accounts are used for spam, they can only be stopped by their providers suspending the account. The Onliner spambot had been hiding tiny pixel-sized images in the emails it had sent out, which were used to harvest information about recipients' computers. It was also discovered that the Spambot lists had been tracked to a Netherlands-based computer server. Benkow explained that the attacker can send out a million "fingerprinting" spam emails and get a fraction of emails back, but still have enough responses to send out a second batch of a few thousand targeted emails with malware. The law enforcement officials have been made aware of the leaky server.