Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Onliner Spambot – More than 711 Million email addresses open and accessible online

An archive containing more than 630 million email addresses used by the spambot server dubbed ‘Onliner Spambot’  has been published online. The Onliner Spambot dump is the biggest one of its kind, it was discovered by the security researcher who goes online with the handle Benkow. The database was hosted on an “open and accessible” server in Netherlands containing a […]

Onliner Spambot – More than 711 Million email addresses open and accessible online

An archive containing more than 630 million email addresses used by the spambot server dubbed ‘Onliner Spambot’  has been published online.

The Onliner Spambot dump is the biggest one of its kind, it was discovered by the security researcher who goes online with the handle Benkow.

The database was hosted on an “open and accessible” server in Netherlands containing a vast amount of email addresses, along with millions of SMTP credentials from around the world.

Onliner Spambot

The popular researcher Troy Hunt has verified the archive and added the leaked email addresses to his breach notification site Haveibeenpwned.com.

The Onliner Spambot served has been used by crooks to send out spam messages and spread the Ursnif banking trojan since at least 2016.

The Ursnif Trojan was spread via spam emails that contain malicious attachments that are used to download and execute the malware.

“Indeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it. And it’s the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign.” wrote Benkow.

“I will take as an example the Onliner spambot. This spambot is used since at least 2016 to spread a banking trojan called Ursnif. I have seen this spambot targeting specific countries like Italy, or specific business like Hotels.”

The expert discovered a list of roughly 80 million valid SMTP credentials, that were used to send out the spam messages via internet provider’s mail servers. In this way crooks made their email appear as legitimate and bypass anti-spam systems.

It is impossible to be sure about the source of the data, data may have been collected from major data breaches (i.e. LinkedInMySpace and Dropbox) or collected by credentials stealer malware like Pony.

According to Benkow, at least 2 million email addresses were collected through a Facebook phishing campaign.

“It’s difficult to know where those lists of credentials came from. I have obviously seen a lot of public leaks (like Linkedin, Baidu or with every passwords in clear text) but credentials can also came from phishing campaigns, credentials stealer malwares like Pony, or they can also be found in a shop.” continues the expert. “Somebody even show me a spambot with a SQL injection scanner which scan Internet, looks for SQLi, retrieves SQL tables with names like “user” or “admin”.”

At the time of writing, there is no official data on the threat actor behin the Onliner Spambot.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Onliner Spambot, spam)

[adrotate banner=”12″]