Researcher finds over 711 million compromised email accounts

A Paris-based security researcher using the handle Benkow has discovered the largest known cache of email addresses and passwords being used to bypass email filters.

The 711,477,622 email addresses and passwords were found on a server in the Netherlands. “Thanks to an open directory on the web server of the Onliner Spambot CNC [command and control], I was able to grab all the spamming data,” said Benkow in a blog post.

This spambot has been in use since at least 2016 to spread a banking trojan called Ursnif, he said, adding that this spambot typically targets specific countries or specific business types such as hotels.

Ursnif, also known as Gozi, is a banking Trojan that allows attackers to steal browsing data such as banking and credit card information, acquire passwords via screenshots and keylogging, execute arbitrary second payloads, infect additional files to further victimise other machines, and communicate peer-to-peer between different Ursnif instances in the same network, according to PaloAlto Networks.

Troy Hunt, who runs the HaveIBeenPwned website, said this is the largest list of compromised email accounts added to the website to date, and far outstrips the previous record of 393 million records that belonged to River City Media. “Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe,” he wrote in a blog post.

However, Hunt points out that the data in the dump includes junk prefixed to the address, which may indicate the “address” was scraped off the web and the parsing was not done well.

“The point here is that there’s going to be a bunch of addresses here that simply aren’t very well-formed, so while the ‘711 million’ headline is technically accurate, the number of real humans in the data is going to be somewhat less,” he said.

Hunt also points out that not every compromised credential is new, with millions corresponding to compromised credentials already listed on his website, indicating how this data is continually redistributed once it is in the public domain.

Benkow said it is difficult to know where the list of credentials comes from, adding that sources typically include previous leaks at companies like LinkedIn and Baidu, phishing campaigns, credential-stealing malware like Pony, dark web markets or SQL injection scanners.

The data he grabbed included about 80 million records that containing an email address, password, simple mail transfer protocol (SMTP) server and the port used to send the email.

He said the spammer tests each entry by connecting to the server to ensure the credentials are valid and that spam can be sent. The accounts that work are then added to the spam list and the rest are ignored.

The spam list is then used to send emails to the remaining harvested emails without SMTP records to gather information on the email account holders.

This is achieved using “fingerprinting spam” email messages that contain a hidden single pixel image, and when the recipient opens the message, a request with their IP and User-Agent will be sent to the server that hosts the image, said Benkow.

With this information, he said the spammer is able to know when you have opened the email, from where and on which device. The request also allows the attacker to know that the email is valid and people actually open spam messages.