A few days ago the popular cyber security expert Chris Vickery from security firm MacKeeper announced that he will shortly reveal the source of a huge data breach impacting individuals.
The huge archive contains 1.4 billion email addresses, names, physical addresses and IP addresses. For sure it will be one the largest data breach of 2017.
Vickery also offered a teaser of the leak, also reducing the number of identities by 30,000.
Teaser screenshot of that DB's summary data: pic.twitter.com/PEnpJbDZRt
— Chris Vickery (@VickerySec) March 4, 2017
The Unique Identification Authority of India (UIDAI) promtly denies their archive was the source of the leak.
The reality is quite different.
Vickery shared the data with the expert Steve Ragan from Salted Hash and discovered an unsecured repository of backup files linked to a notorious spamming organization called River City Media (RCM).
“This is the story of how River City Media (RCM), Alvin Slocombe, and Matt Ferris, accidentally exposed their entire operation to the public after failing to properly configure their Rsync backups.” reported Salted Hash.
“The data from this well-known, but slippery spamming operation, was discovered by Chris Vickery, a security researcher for MacKeeper and shared with Salted Hash, Spamhaus, as well as relevant law enforcement agencies.”
The huge archive includes sensitive information about the operations of the River City Media, a company that claims to be a legitimate marketing firm, but that is the source of billion spam messages per day.
Vickery didn’t reach out to RCM directly, he was not able to fully verify the huge data leak but he explained that the archive includes addresses he knew very well and that were accurate
“The situation presents a tangible threat to online privacy and security as it involves a database of 1.4bn email accounts combined with real names, user IP addresses, and often physical address,” Vickery said. “Chances are that you, or at least someone you know, is affected.”
What about the spamming business?
No doubts, spamming operations are very profitable.?
The leaked data shows that the RCM sent 18 million emails to Gmail users and 15 million to AOL users in a single day, and the company earned around $36,000. Not so bad 😉
The River City Media company used many illegal hacking techniques to target send spam messages to as many users as possible.
One of these techniques is the Slowloris attack, a method that is used to paralyze a web server rather than subvert it in this manner.
“Purposely throttling your own machinery to amass open connections on someone else’s server is a type of Slowloris attack [https://en.wikipedia.org/wiki/Slowloris_(computer_security)]. The twist here is that the spammer is not trying to completely disable the receiving server, he is only temporarily stressing the resources in order to overwhelm and force the processing of bulk email.” Vickery explained in a blog post.
Vickery defined illegal the hacking activity of the RCM due to the presence of scripts and logs enumerating the groups’ many missions to probe and exploit vulnerable mail servers. The leaked backusp include chat log in which personnel at the company admit and describe the adoption of hacking methods.
“In that screenshot, a RCM co-conspirator describes a technique in which the spammer seeks to open as many connections as possible between themselves and a Gmail server. This is done by purposefully configuring your own machine to send response packets extremely slowly, and in a fragmented manner, while constantly requesting more connections.”
The expert has shared details of RSM’s operations with other parties, including Microsoft, Apple, Salted Hash, Spamhaus and of course law enforcement.
To block the activity of the group, Spamhaus announced the blacklisting of the entire infrastructure used by the RCM from its Register of Known Spam Operations (ROKSO) database. The service tracks professional spam campaigns.
Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.
In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.
In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.
(Security Affairs – data leak, spam network)