Are You At Risk of An Account Takeover? Onliner Spambot

📅 October 01, 2020

⏱️2 min read

Could you or highly visible people in your company have fallen victim to a spambot? Given that Spambots have targeted billions of email addresses over the years, the chances are high.

Back in August 2017, a security researcher known as Benkow discovered 711 million email addresses and passwords available on a public server. It's the third-largest data breach on record. The database was a result of a leak from what's known as the Onliner Spambot.

The leak revealed the sophisticated way in which malware spammers now bypass filters and take over accounts. In this blog, we'll explain how they work.

How Spambots Have Evolved

Cast your mind back to the early days of the internet when dodgy emails containing viruses plagued your inbox. For cybercriminals, they were the good old days, when all you needed was a list of email addresses.

Fortunately, spam filters are increasingly affective at identifying spammers and blocking their emails. One of the ways spam filters work is by identifying large volumes of emails sent to defunct or inactive email accounts.

To appear legitimate and bypass security filters, spammers need active email accounts.

So now, instead of immediately sending out malware emails, they've added an extra step, called "fingerprinting". The technique used in the Onliner case is a textbook example of fingerprinting.

What is fingerprinting?

Spambots start by using an existing database of servers from previous data breaches. They double-check that the email accounts are active.

The spambot then takes over these accounts and sends out emails. In the case of Onliner, the spambot used an existing database of 80 million accounts and used these accounts to send a further 630 million emails.

But, these initial emails don't contain the malware. Instead, they contain a small 1-pixel image. When you open the email, it reveals key information such as:

  • Your IP address,
  • The type of operating system and device you are using,
  • And of course, whether you are the kind of person who opens spam emails.

The spammers now have a comprehensive database that they can use to send targeted emails containing malware.

Onliner spambot used this technique to send out a banking trojan known as "Ursnif." Since 2016, Ursnif has stolen banking information from target computers, including credit card data.

Why do spammers add this extra step?

Aside from scouting out active email servers, the Onliner Spambot was also looking to target Windows users. This is because the Ursnif Trojan was built specifically to work on Windows computers. The idea is to send out targeted emails to limit the size of the operation. If a malware campaign is too big, it raises red flags for law enforcement.

The discovery of the Onliner Spambot dump demonstrated that spammers are becoming more and more sophisticated at evading security filters and law enforcement.

If your email is on one of these lists, you and your company run the risk of identity fraud and account takeovers. Highly visible people in your company are particularly at risk of targeted attacks by hackers. It's never more important to be one step ahead.