1.4bn Emails Exposed As Huge Spam Operation Fails To Password Protect Documents

A database of 1.4 billion email accounts has seemingly been exposed on the web and its contents have also appeared to suggest a marketing agency deliberately exploited vulnerable email services, including Gmail, to send up to one billion items of spam a day.

MacKeeper Security researcher Chris Vickery came across a “suspicious” but exposed collection of files that were not password protected, and  discovered it belonged to an organisation called River City Media (RCM).

The documents not only revealed the vast number of email accounts but also IP addresses and even physical addresses.

Spammergate

“Chances are that you, or at least someone you know, is affected,” noted Vickery, who said RCM posed as a legitimate marketing agency led by “known spammers” Alvin Slocombe and Matt Ferris.

Upon inspection of the chat logs, Vickery saw the perpetators admitted to targeting vulnerable servers using a type of ‘slowloris’ attack.

This involved the spammers configuring their own systems to send packets at a slow rate while requesting more connections before sending through a large quantity of emails before the receiving server blocked the sender.

Spamhaus has now blocked the entire of the RCM infrastructure, potentially bringing down a huge spam network, while Microsoft, Apple and others have been informed of other methods used by RCM.

As for how the database was collected, Vickery speculates it was partly compiled by users ticking ‘I agree’ boxes on web forms that give permission for a company “and its affiliates” to send marketing emails. In this case, one of the affiliates was RCM.

Implications

“The natural response is to question whether the data set is real,” added Vickery. “That was my initial reaction. I’m still struggling with the best software solution to handle such a voluminous collection, but I have looked up several people that I know and the entries are accurate.

“The only saving grace is that some are outdated by a few years and the subject no longer lives at the same location.

“Details of the even more abusive scripts and techniques have been forwarded on to Microsoft, Apple, and others. Law enforcement have also been notified and, while we are prohibited from saying too much, they are indeed interested in the matter.”

Other security industry figures have speculated the attack could be the result of a misconfigured MongoDB, given Vickery’s expertise on unsecured databases.

“Open source continues to be a critical source of innovation to many organisations,” suggested Paul Calatayud, CTO FireMon. “In this case, being used for motivations not so noble, the lesson to be learned here is that Mongo DB continues to be an easy exploit.”

Other said the discovery is a “rare window” into how mass spam campaigns operate.

“RCM’s apparent admission that they ran denial of service attacks against Gmail servers to trick them into accepting spam is very serious,” added Chris Doman, a security researcher at AlienVault. “They are talking about risking the stability of some of the internet’s core mail servers for profit. It’s bizarre these admissions are coming from chat logs that RCM themselves accidentally leaked.”

Quiz: Cybersecurity in 2016