By Gary Nugent

Email Hacking

I talk a lot about the importance of website and blog security on this site, but there are many ways you can get hacked.

If you’ve been following the news in recent years, you’ll likely have heard about at least one data breach that’s occurred where customer or user data has been scooped up by a hacker. That can include your email address, your home address, credit card details and other information that could potentially lead to identity theft.

These details are often sold on to criminals on the Dark Web (that underground area of the World Wide Web that’s only accessible through the Tor browser).

Now a malware researcher has discovered a spamming operation that has been drawing on a list of 711 million email addresses.

While there have been sizable data breaches in the past, including the federal employee data hack in 2015, the scale of this  scheme appears to make it the biggest find of its kind.

Email addresses, and in some cases associated passwords, have apparently been collected in order to help spread banking malware.

What About Your Email Address(es)?

Have I Been Pwned Service

You can check if your email addresses have been compromised by using the (free) Have I Been Pwned service.

The guy who runs it – Troy Hunt – has acknowledged that some of the listed addresses corresponded to non-existent accounts. But he added that the number that had been collated still totalled a “mind-boggling amount“.

A Paris-based security expert who goes by the name Benkow was the first to flag the discovery of the Onliner Spambot. It was then brought to wider attention by ZDnet news.

What Does It Mean For You?

The database of 711 million user details can be divided in two.

1. Where the hackers only know your email address, they can only target you with spam in the hopes that they can trick you into revealing more information or taking you to sites that attempt to install malware on your PC if you click on a link in such emails.

2. If they have both your email address and password, then they can do a lot more damage. How many login details for other accounts and sites have been emailed to your email address when you signed up with them? By logging into your email account, hackers will have access to all that information. Plus anything else you’d rather keep quiet. All that info could be used to impersonate you and steal your identity for nefarious acts.

And they can change your email account password, locking you out of your account.

Your email account can also be hijacked to aid their campaign via a spambot known as Onliner. Basically, your email account will be used to send out spam emails to other people.

How Did The Hackers Get This Information?

Hacker attacking internet

Benkow acknowledged that it was “difficult to know where [the] credentials had come from“, but suggested that they might have been gathered from previous leaks, a Facebook phishing campaign and illegal sales of hacking victims’ details from other successful data breaches.

In some cases, the hacker had collected details of the mail accounts’ simple mail transfer protocol (SMTP) server and port settings. This information can be used to fool (spoof) email providers’ spam-detecting systems into letting messages through that might otherwise be blocked.

Richard Cox, former chief information officer of the Spamhaus project, had this to say when talking to the BBC:

While the list of mailable addresses is quite large, it is probably no larger than any seen previously. The lists of compromised accounts are more worrying.

When compromised accounts are used for spam, they can only be stopped by their providers suspending the account – but when that many are involved, it will severely overload the security/abuse departments of those providers, making it a slow process and that is what keeps the spam flowing.



More worryingly, Benkow added that the Onliner spambot had been hiding tiny pixel-sized images in the emails it had sent out, which were used to harvest information about recipients’ computers.

This meant that the right kinds of malware attachments required to infect different types of devices could be included when follow-up messages masquerading as business invoices were delivered.

Troy Hunt added that the Spambot lists had been tracked to a Netherlands-based computer server, but it had yet to be shut down.

For now, affected users are able to check only if their email addresses have been targeted, but not if their accounts have been hijacked.

What Should You Do Now?

First, head over to the Have I Been Pwned service and run your email addresses through it. Then at the very least, change your password for any affected account. Better yet, if your email provider allows it, add 2-Factor Authentication to your email account. It makes logging in more onerous, but on the up-side, a hacker won’t be able to access your account, even if they have your password.

There have been a lot of data hacks over the years so there’s a fair chance one or more of your email addresses has been compromised.

And, especially if your email address is flagged as being part of a data breach, be much more vigilant about what links you click in your emails. That includes links in emails from people you know. If it looks suspicious, give it a miss.

I’ve been checking my own email addresses with the service and this is what popped up for one of my lesser used addresses (click the image for a full-size view). Not good! That email address was scooped up in 7 different data breaches!

Has Your Email Address Been Compromised?


Tagged with:

Filed under: Cyber Security