Some three million stolen email addresses and passwords were found online on a server used to send fraudulent messages and extort money from tens of thousands of victims.
The server, which was not password protected, was at the heart of a complex online fraud operation, according to TechCrunch, which contributed to the investigation with researcher Bob Diachenko.
Thanks to the personalized messages that he sent to the contacts associated with the hacked email addresses, the fraudster gave the impression that his spam was legitimate messages.
When a victim clicked on a link contained in the email, the system designed by the fraudster could automatically identify the country of origin of the person by analyzing his IP address. He then redirected it to a copy of a news site in that country.
The fake news sites – including copies of CNN and BBC News – contained news about fake products or services such as drugs or investments in cryptocurrencies. They invited the victims to buy these products, and the money was most likely sent directly to the fraudster.
A complex operation
Throughout the operation, the hacker had implemented sophisticated protections allowing him to bypass many spam detection systems.
Analysis charts were also used to quickly identify weaknesses in his mailings and anti-spam systems in order to adapt his practices to maximize the number of potential victims.
More than 160,000 people would have clicked on fraudulent emails sent by this system, according to TechCrunch. It is unclear, however, how much money has gone to the fraudster.
The server containing the compromised email addresses was closed by the host a few hours after it was notified of its existence by TechCrunch. The host indicated that the server was probably hacked, since its legitimate owner believed that the server had been shut down a long time ago.
TechCrunch pointed out that there are indications that the fraudster is continuing to operate on other servers whose addresses remain unknown for the time being.
The database containing the stolen emails and passwords was sent to Troy Hunt, owner of Have I Been Pwned. This service verifies if an email address or password has been affected by an online data leak.