[ALERT] Change Your Passwords… NOW

Zoha Islands Wants To Send Our Thoughts And Prayers To All The Victims Of Hurricane IRMA. With The Devastation Still Ongoing We Hope All Are Safe And Well….


And now on with this weeks blog.

A spammer’s database of 711 million email addresses and passwords, including email server admin credentials, Second Life information and access to your L$, has been discovered on a wide-open Web server in the Netherlands. It’s the biggest trove of stolen identities yet found. But what’s really interesting – and frightening – is how it’s being used to circumvent spam filters and infect victims with malware. Here’s what you need to know, and do…

This Spam-bot Probably

Has Your Email Credentials

The database was discovered by a Paris-based security researcher who goes by the online handle of “Benkow.” He or she has spent months analyzing the data and tracing how it has been used. Benkow says at least 100,000 email accounts have been infected with the Ursnif banking malware via the “On liner” spam-bot that compiled and uses this massive database.

Ursnif scans a victim’s system looking for bank account login credentials in particular, but it will steal anything that looks like login credentials to email, e-commerce, social media, and other accounts. Ursnif uses an unusual technique to infect victims’ systems.

Most malware spam employs a file attachment that triggers the download and execution of malware when it is opened. But many users are (finally) cautious about opening attachments, even if they appear to come from trusted contacts. So On liner embeds an invisible URL in each HTML message it sends. When the message is opened, the URL fetches a pixel-sized image from the spammer’s master server; the tiny image also goes unnoticed.


Along with the URLs request for the image, it also sends info about the target machine, including its operating system and device info. This data tells the spammer whether the target is vulnerable to the Windows-based Ursnif malware. If not, there’s no point in sending Ursnif to that target, and doing so might raise unwanted attention.

Weeks or months after sending the probing email to millions of targets, Onliner sends another email with a disguised attachment to the few thousand Windows targets it has identified. The attachment may be presented as an invoice or some other important document. If the attachment is opened, a JavaScript is triggered that downloads Ursnif malware to infect the victim.

But Wait… There’s More!

Another clever trick allows On-liner to evade email servers’ spam filters. Many filters rely, at least in part, on lists of domains known to host spammers. But with the login credentials of an email server’s administrator account, On-liner can exempt its spam from being filtered. The database Benkow discovered contains over 80 million email servers’ admin credentials.

The database includes the admin credentials of 80 million email servers, which are used to spam 630 million email accounts. Onliner has been infecting victims with credential-stealing malware, but it could switch to “botnet” malware that enslaves victims’ computers to send spam, participate in denial-of-service attacks, and other shenanigans.

Here’s another troubling aspect of this situation. If a hacker has access to a compromised email address and password, they can do what’s called credential surfing. Many people use the same login credentials for multiple online accounts. So a hacker may use your email credentials and attempt to gain access to your online banking, social media, Paypal, eBay or other popular sites.

What You Should Do

On-liner goes to unusual lengths to avoid detection by spam filters and security researchers. You cannot rely on your mail provider’s spam filters to keep you safe. You can check the Have I Been Pwned database to see if your email address was present in this spammer database. But don’t be surprised, and don’t panic if it does. In fact, you should ASSUME your email address and password have been compromised.

You, the end user of email, are still the best and last line of defense. Here’s what I recommend:

  • Never click on an attachment without verifying who sent it, and why.
  • Change your email password every three months at least.
  • Use strong passwords, and never reuse passwords on multiple online accounts.
  • Use two-factor authentication whenever possible.

Have A Great Week

Deuce Marjeta

And the Zoha Islands team