The spam software, dubbed as “Onliner,” was used to deliver Ursnif banking malware to inboxes around the world.
A security researcher based in Paris, under the pseudonym Benkow, discovered an open and accessible web server hosted in the Netherlands that stores dozens of text files containing a large number of email addresses, passwords, and email servers to send spam. Specifically, 711 million accounts.
The spambot, dubbed ” Onliner,” is used to deliver Ursnif banking malware to inboxes around the world. According to Benkow, to date, there have been more than 100,000 infections worldwide.
In fact, in his blog, Benkow has spent months investigating the malware of Ursnif, a Trojan that steals data that it uses to obtain personal information, as well as access data, passwords and credit cards. Typically, a spammer sends a dropper file as a normal mail attachment. When the attachment is opened, the malware is downloaded from a server and infects the machine.
However, while spam remains an effective method of delivering malware, email filters are becoming smarter, and many domains that have received spam have been blacklisted. Even so, Onliner uses sophisticated settings to avoid spam filters.
“To send spam, the attacker needs a huge list of SMTP credentials,” explains Benkow in his blog. “The more SMTP servers you find, the more you can deploy the campaign.” Those credentials, he says, have been compiled from other data breaches, such as the LinkedIn hack and Badoo hack, as well as other unknown sources.