Onliner Spambot Uses List of 711 Million Email Accounts

Is your email address one of the 711 million emails that are being used by the Onliner spam-bot?  I checked my email address at Have I Been Pwned and found it on the list.  You can click through the link and see if yours is on the Onliner list, or part of some other breach.

Onliner is currently responsible for sending emails to spread a banking credential stealing exploit called Ursnif.  But spambots can be used for any number of purposes, including phishing, email account hijacking, sending malware laden attachments in email, website scanning, social engineering, stealing other account credentials, and sending click-fraud advertising spam.

This list is interesting because there are a couple components.  One list contains email accounts, passwords, and outbound mail server information that allows the phishing message to appear to come from legitimate email accounts, and that way, they get past many mail filters.

The second list contains millions of potential spam targets.  In a list this large many of the email addresses will be expired, out of date, or abandoned, so the first emails coming from this spam-bot are designed to confirm whether the account is active.  This is accomplished by sending a very small 1 pixel image in the email.  When you open the email, the image calls back to the image server with information such as your IP address, browser type and version, and other system information.

Once your email address is confirmed, then the attacker sends an email with the Ursnif banking Trojan as an email attachment.  In addition to stealing your online banking credentials, it can be used as a platform to install other malware.

What can you do?

  • Learn how to recognize phishing and other email exploits.
  • Never click on links or open attachments without verifying the link destination or attachment contents.  This can be done at VirusTotal.
  • Check your email accounts at Have I Been Pwned, and if you find your there, you may want to change your email password.
  • Protect your email, financial, and shopping accounts with two-factor authentication.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.