Nearly 1.4 billion people are affected by a database records leak caused by spamming group River City Media (RCM) forgetting to password-protect their backups.
Last week, MacKeeper security researcher Chris Vickery promised a “1.4 billion identity leak story” would be made public on Monday. The actual number of people affected – 1,374,159,612 – is slightly lower than that, but is nothing to scoff at.
Teaser screenshot of that DB's summary data: pic.twitter.com/PEnpJbDZRt— Chris Vickery (@VickerySec) March 4, 2017
Today, Vickery described the leak from RCM as a “tangible threat to online privacy and security” because the database included nearly 1.4 billion email accounts tied to real names, IP addresses and “often” physical addresses. RCM accumulated that list via offers for things such as “free” gifts, credit checks, sweepstakes, education opportunities and techniques like co-registration in which a person’s info is shared with unnamed affiliates after clicking “submit” or “I agree” on a website.
Vickery has a knack for finding unsecured databases; this time, the repository of RCM backup files was publicly exposed after the spammers slipped up. “Someone had forgotten to put a password on this repository and, as a result, one of the biggest spam empires is now falling,” wrote Vickery.
RCM, led by known spammers Alvin Slocombe and Matt Ferris, “masquerades as a legitimate marketing firm,” but Vickery published a snippet of RCM’s documentation which claims it can send over a billion spam emails every day. The highlighted line in the documentation states, “In 2013 an IPv6 version of ‘IPQ’ was used across 4 servers to send over a billion bulk messages to Gmail per day.”
How can a group of about a dozen people be responsible for one billion emails sent in one day? The answer is a lot of automation, years of research, and fair bit of illegal hacking techniques.
I say illegal hacking due to the presence of scripts and logs enumerating the groups’ many missions to probe and exploit vulnerable mail servers.
Vickery worked with CSO and Spamhaus to investigate the leak. As a result, Spamhaus is now blacklisting RCM’s entire infrastructure. Salted Hash’s Steve Ragan has a fantastic writeup about RCM and its operations. In Ragan’s words, the spammers “accidentally exposed their entire operation to the public after failing to properly configure their Rsync backups.”
The researchers found chat logs which revealed that the spammers used a type of Slowloris attack to send their spam. They would “open as many connections as possible between themselves and a Gmail server. This is done by purposefully configuring your own machine to send response packets extremely slowly, and in a fragmented manner, while constantly requesting more connections.”
Then, when the Gmail server is almost ready to give up and drop all connections, the spammer suddenly sends as many emails as possible through the pile of connection tunnels. The receiving side is then overwhelmed with data and will quickly block the sender, but not before processing a large load of emails.
It's a twist on a Slowloris attack, since “the spammer is not trying to completely disable the receiving server, he is only temporarily stressing the resources in order to overwhelm and force the processing of bulk email.”
The data appears to be real, but some may be outdated such as a person no longer living at the physical address attached to his or her name in the spammer’s database. The researchers notified law enforcement and sent Microsoft, Apple and others details about abusive scripts and techniques.
Vickery and Ragan intend to reveal more about the RCM operation. As Vickery put it, “There are enough spreadsheets, hard drive backups, and chat logs here to fill a book.”