Giant spambot scooped up 711 million email addresses By Leo Kelion

Technology desk editor Published duration 30 August 2017

image copyright Getty Images image caption Millions of computer users will be unaware that their email accounts have been targeted or even hijacked

A malware researcher has discovered a spamming operation that has been drawing on a list of 711.5 million email addresses.

The scale of the scheme appears to make it the biggest find of its kind.

The addresses - and in some cases associated passwords - have apparently been gathered to help spread banking malware.

Members of the public can check if their accounts have been affected via the Have I Been Pwned service

Its operator, Troy Hunt, acknowledged that some of the listed addresses corresponded to non-existent accounts.

But he added that the number that had been collated still totalled a "mind-boggling amount".

Hidden images

The Spambot discovery was first flagged by a Paris-based security expert who calls himself Benkow.

It was then brought to wider attention by the ZDnet news site

image copyright Benkow image caption Benkow said this email was one example of the type of spam that had been used

The database of 711 million user details can be divided in two.

In cases where the attackers know only an email address, they can only target the owner with spam in the hope of tricking them into revealing more information.

But in cases where they also have the user's login password and other details, they can secretly hijack their accounts to aid their campaign via a spambot known as Onliner.

Benkow acknowledged that it was "difficult to know where [the] credentials had come from", but suggested that they might have been gathered from previous leaks, a Facebook phishing campaign and illegal sales of hacking victims' details.

In some cases, the perpetrators had gathered details of the accounts' simple mail transfer protocol (SMTP) server and port settings.

This information could be used to fool email providers' spam-detecting systems into letting messages through that might otherwise have been blocked.

"While the list of mailable addresses is quite large, it is probably no larger than any seen previously," Richard Cox, former chief information officer of the Spamhaus project, told the BBC.

"The lists of compromised accounts are more worrying.

"When compromised accounts are used for spam, they can only be stopped by their providers suspending the account - but when that many are involved, it will severely overload the security/abuse departments of those providers, making it a slow process and that is what keeps the spam flowing."

image copyright Getty Images image caption The spamming campaign seems to have been designed to steal banking details

Benkow added that the Onliner spambot had been hiding tiny pixel-sized images in the emails it had sent out, which were used to harvest information about recipients' computers.

This meant that the right kinds of malware attachments required to infect different types of devices could be included when follow-up messages masquerading as business invoices were delivered.

Mr Hunt said that the Spambot lists had been tracked to a Netherlands-based computer server, but it had yet to be shut down.

For now, affected users are able to check only if their email addresses have been targeted, but not if their accounts have been hijacked.

But Benkow told the BBC there were still protective steps affected users could take.

"I recommend you to change your password, and be more vigilant with the emails that you receive, now you know that you're on malware deliverers' lists," he said.