Cyber experts explain upshot of massive Onliner spambot attack

Exposure of 711 million email addresses makes clear that breaches aren’t slowing down

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A spam­bot, referred to as Onlin­er, has been dis­cov­ered deliv­er­ing a mali­cious bank­ing Tro­jan. What’s worse, the spam­mers behind Onlin­er inad­ver­tent­ly exposed some 711 mil­lion email address­es held in their possession.

Some con­text is need­ed to grasp the sig­nif­i­cance of this. Con­sid­er that spam­bots have been around for a long time. For the most part, gar­den-vari­ety spam­bots are a huge nui­sance, designed to car­ry out a two-stage mis­sion. First, a spam­bot crawls the inter­net seek­ing out email address­es from web­sites, news group post­ings and chat-room con­ver­sa­tions, and from this crawl­ing activ­i­ty it com­piles a gar­gan­tu­an mail­ing list. Next, a spam­bot blasts out email pitch­es for all man­ner of sketchy prod­ucts and services.

Relat­ed video: Scam­mers take advan­tage of trust in Gmail, Google Drive

Onlin­er hap­pens to be an espe­cial­ly per­ni­cious spam­bot. It is designed to bypass many types of spam fil­ters, and it deliv­ers mes­sages car­ry­ing cor­rupt­ed attach­ments, such as invoic­es from gov­ern­ment bod­ies, hotel reser­va­tion details, and DHL noti­fi­ca­tions. By click­ing on one of these attach­ments, the recip­i­ent installs the Ursnif bank­ing Tro­jan. Ursnif very swift­ly steals account logons, cred­it card details, and oth­er per­son­al information.

It turns out that the spam­mers oper­at­ing Onlin­er neglect­ed to lock down one of their servers, allow­ing any­one to see and down­load a mas­ter mail­ing list of 711 mil­lion email address­es. Alleged­ly, oth­er spam­mers used this infor­ma­tion to send large amounts of spam through legit­i­mate email accounts, thus bypass­ing spam filters.

Third­Cer­tain­ty con­vened a round­table of cyber­se­cu­ri­ty experts to dis­cuss Onliner’s wider ram­i­fi­ca­tions. Here are their com­ments, edit­ed for clar­i­ty and length.

Jonathan Sander, STEALTH­bits CTO

Jonathan Sander, chief tech­nol­o­gy offi­cer, STEALTH­bits Technologies

Per­haps the scari­est part of this mas­sive leak is see­ing how much data the bad guys have and how lit­tle they are doing to pro­tect it. Some may think the bad guys have no moti­va­tion to pro­tect our data, but they do. The amount and how well enriched their data set is becomes their com­pet­i­tive advan­tage in a crowd­ed black mar­ket. Just like peo­ple using Google more than oth­er search engines because of their huge reach, the black mar­ket has brands that stake their rep­u­ta­tion on hav­ing the biggest data­base of qual­i­ty, stolen data. To see that even with such finan­cial moti­va­tion they are fail­ing to secure their ill-got­ten goods is disheartening.”

John Suit, Triva­lent CTO

John Suit, chief tech­ni­cal offi­cer, Triva­lent

Rev­e­la­tions like this con­tin­ue to be a wake-up call to orga­ni­za­tions every­where. Even with reg­u­lar employ­ee train­ing, it only takes one employ­ee open­ing a bad email to put an entire enterprise’s data at risk of mal­ware, ran­somware and oth­er threats. The only way to com­plete­ly cir­cum­vent hack­er threats this is by approach­ing data pro­tec­tion proac­tive­ly, rather than reac­tive­ly, pro­tect­ing enter­prise data at the file lev­el. By tak­ing this defense-in-depth approach, spam­mers can nev­er suc­ceed in gain­ing access to actu­al com­pa­ny files.”

James_Romer, SecureAuth chief secu­ri­ty architect

James Romer, chief secu­ri­ty archi­tect, SecureAuth

Despite increas­ing­ly com­plex pass­word use, data breach­es con­tin­ue to soar. Ulti­mate­ly, we need to ditch the pass­word com­plete­ly. Remov­ing the ‘human knowl­edge’ ele­ment from the authen­ti­ca­tion process improves secu­ri­ty and improves the user expe­ri­ence. Going pass­word­less and using mul­ti­fac­tor authen­ti­ca­tion meth­ods like fin­ger­print or behav­ioral bio­met­rics is a huge step for­ward in negat­ing attempts to gain access using com­pro­mised credentials.”

Chris­t­ian Lees, InfoAr­mor CTO

Chris­t­ian Lees, chief tech­nol­o­gy offi­cer, InfoAr­mor

Threat actors con­tin­ue to expand their meth­ods to poten­tial­ly main­stream or expand their rev­enue streams. Con­tin­u­ous large data dis­clo­sures of this type, with poten­tial­ly unver­i­fi­able data sources and tar­gets, increase alert fatigue for secu­ri­ty pro­fes­sion­als. Also, this is anoth­er reminder that threat actors also live by the dual-edge sword of security.”

Gio­van­ni Ver­haeghe, VASCO Data Secu­ri­ty direc­tor prod­uct & mar­ket strategy

Gio­van­ni Ver­haeghe, direc­tor prod­uct & mar­ket strat­e­gy, VASCO Data Security

As users now demand a seam­less expe­ri­ence across chan­nels, orga­ni­za­tions have the added respon­si­bil­i­ty of mak­ing sure that infor­ma­tion is secure across these chan­nels. The more user-friend­ly the sys­tem is, the more it needs secu­ri­ty. This secu­ri­ty can be trans­par­ent for sure, but if it doesn’t pro­tect users and their data, it could be leav­ing the door open­ing for mali­cious and crip­pling attacks … The bur­den of respon­si­bil­i­ty lies heav­i­ly on orga­ni­za­tions, and how much they invest in secur­ing the infor­ma­tion users share with them will make a huge dif­fer­ence to user confidence.”

More sto­ries relat­ed to spam­bots and oth­er email-relat­ed breaches:
Most busi­ness­es unpre­pared for email-based attacks
Anato­my of an attack: Dup­ing investors using What­sApp ruse
Major secu­ri­ty threats lurk in your inbox


Posted in Featured Story