Bureau Shares Emails of Those Affected With Have I Been Pwned Breach Notification Service
The FBI has shared 4.3 million email addresses stolen by the Emotet malware with the Have I Been Pwned breach notification site in another effort to remediate the effects of the devastating botnet.
The email addresses come from mail servers compromised by Emotet as well as end-user computers on which the malware had scraped credentials out of victims’ browsers, says Troy Hunt, an Australian computer security expert who runs HIBP.
It’s the first time the FBI has asked Hunt’s service to assist in notifying victims, says Hunt, who wrote a blog post about the move.
In 2018, the Estonian Central Criminal Police supplied HIBP with 655,000 email addresses that came from several breaches to avoid directly sending out its own breach notifications, which could have been mistaken for phishing emails, Hunt says.
Hunt says the Emotet data will help victims take prompt action to ensure their online accounts have strong, unique passwords that are not reused across services.
Emotet: Destructive Malware
The Emotet botnet was disrupted in January in a coordinated action undertaken by the U.S., the U.K., the Netherlands, Canada, France, Germany, Sweden, Lithuania and Ukraine. Law enforcement agencies identified 1.6 million computers worldwide that were infected with the malware between April 2020 and January 2021, and 45,000 of those machines were in the U.S.
Europol called Emotet “one of the most professional and long-lasting cybercrime services.” The malware caused hundreds of millions of dollars in damages, the U.S. Justice Department said in January
The malware, which emerged around 2014, primarily spread through spam messages containing malicious links or attachments. It harvested victims’ email contact lists to send itself out and to look less suspicious to recipients.
Emotet was a “dropper,” or first-stage malware, that maintained access to a person’s computer. Those who controlled Emotet could sell access to those computers to other players in the cybercrime economy, including ransomware gangs.
Soon after Emotet’s infrastructure was disrupted by law enforcement officials, agencies launched an effort to remediate infected computers.
Around Jan. 26, law enforcement agencies used some of Emotet’s infrastructure to push what was referred to as a “law enforcement file” to infected computers, according to an FBI affidavit released by the Justice Department. That disconnected infected computers from the botnet.
That code, a customized DLL file called EmotetLoader.dllsent, was also designed to remove the infection. In a blog post on Monday, the computer security firm Malwarebytes writes that it was coded to uninstall Emotet completely by April 25, an action that has taken place (see: Emotet Malware Automatically Uninstalled).
Emotet Breach ‘Sensitive’
Even with remediation of the infections, there’s still the problem of account credentials that have been compromised by Emotet. Law enforcement agencies have been working to notify anyone whose devices might have been infected by Emotet.
The Netherlands created a service in which an individual could enter their email address to see if their machine had been infected. If a positive result was found, a notification was emailed to the person a few minutes later, according to Dutch police.
After the initial shutdown of Emotet, Dutch police continued to find email addresses indicating that computers had been infected. On Feb. 3, 3.6 million more email addresses were found, which Dutch police added to their checker.
The entry of the email addresses into Have I Been Pwned, however, means that there is a higher chance that those affected by Emotet can be reached.
Hunt has classified the data as “sensitive.” Anyone can enter anyone’s email address into HIBP and see if the email address has been exposed in any of the breaches that have been indexed. But Hunt restricts what HIBP returns for certain types of sensitive breaches, such as Emotet. In those instances, a user must verify their email address or control of a domain.
Hunt took this same step for the 2015 breach affecting Ashley Madison, the dating site for married people.
The Emotet situation differs from other breaches, Hunt says. The fact that someone’s email addresses has shown up in the Emotet data means their computer was infected with malware. That fact could expose shortcomings in someone’s security posture, and Hunt says he didn’t want that to be discoverable through HIBP.
“The implication here is someone’s personal security has been compromised, not just an online account,” Hunt says. “I didn’t want to make anyone a greater target.”
Hunt says that beyond email addresses, he doesn’t have any more information, such as when a particular machine was infected or what other data might have been compromised.