More than 250 million email accounts may have been hacked and used to spread Trickbot malware on the Internet, according to a survey by digital security firm DeepInstinct. The result of the investigation was released last Friday (12) and indicates that millions of addresses from Gmail, Yahoo and Hotmail may have been affected, in addition to accounts of governments and public institutions in the United States, United Kingdom and Canada.
New WannaLocker malware hits cell phones and may steal bank details
Trickbot malware has been known to Internet security researchers since 2016 – at the time, it was «just» a banking trojan. In the current attacks, the virus gained the infection and distribution module based on emails and the ability to steal cookies. Currently, the malware invades the victim’s email account to trigger spam to their contacts and infect more people and steal bank details. Then, erase everything to leave no trace.
How to remove viruses on an Android phone
Want to buy cell phones, TV and other discounted products? Discover Compare dnetc
In its investigation of the new malware module and the structure associated with it, DeepInstincts was able to recover a database containing 250 million email accounts collected by TrickBot operators.
The machine infected with the malware is instructed to download a distribution program called TrickBooster. This software reports to the command server and sends lists of credentials and e-mail addresses collected both from the address book and from the inbox and outbox.
Then, the server instructs the robot to fire malicious spam e-mails to these addresses through the victim’s account and, soon after, deletes the records of both sent messages and the trash, so as not to leave any trace. The strategy may be being used to spread and infect new accounts and spread spam for financial purposes.
DeepInstinct infographic shows how Trickbot works – Photo: Disclosure / DeepInstinct
The email base retrieved by DeepInstinct contains millions of addresses from popular providers, such as Gmail and Yahoo, but it also has a sizable sample of large government accounts, both in the United States and the United Kingdom. Other organizations found include universities in the UK and Canada, and several provincial agencies in Canada.
«We were able to recover a database containing 250 million email accounts collected by TrickBot operators, which were probably also used as target lists for malicious delivery and infection. The database includes millions of addresses from government departments and agencies. in the U.S. and the UK, «details the company’s official note.
The research center also released a list of account numbers that may have been affected by an email server:
- Gmail.com – 25 million
- Yahoo.com – 19 million
- Hotmail.com – 11 million
- Aol.com – 7 million
- Msn.com – 3 million
- Yahoo.co.uk – 2 million
DeepInstinct researchers say more analysis is being done on Trickbot, but said, in an interview with the TechCrunch website, that incorporating TrickBooster was «a powerful addition to TrickBot’s already vast arsenal of tools», taking into account the ability of the module to avoid detection by most antiviruses. Because spam is sent from a trusted address, it also increases the chances that infected attachments will be opened by victims.
Discovered in 2016, Trickbot presents itself as a continuous threat in recent years, with great adaptive power in the cybercrime scene. Once a family of malware focused on stealing financial data, Trickbot is now a more sophisticated threat, serving different types of malicious activities.