Major Spam Operation Suffers Data Leak Containing 1.4 Billion Records

A spamming group called River City Media, led by well known spammers Alvin Slocombe and Matt Ferrisi, has had its database of 1.4 billion records leaked. IT security experts from AlienVault, FireMon and NSFOCUS commented below.

Chris Doman, Security Researcher at AlienVault:

“This is an extremely rare window into the operations of mass-spam campaigns. RCM’s apparent admission that they ran denial of service attacks against Gmail servers to trick them into accepting spam is very serious. They are talking about risking the stability of some of the internet’s core mail servers for profit. It’s bizarre these admissions are coming from chat logs that RCM themselves accidentally leaked.

Whilst the scale of data potentially lost by RCM here is massive, it’s important to note this data isn’t reported to include credentials or abused by anyone other than RCM yet.”

Paul Calatayud, CTO at FireMon:

“In the recent River City Media Ggroup data leak, over 1.4 billion records may have been exposed. Not much information is being said as to the cause, but given that this was found by Chris Vickery, who often scans the internet for vulnerable Mongo DB assets and makes reference to lack of use of passwords, one can conclude that this data leak is a result of a misconfigured Mongo DB. Open source continues to be a critical source of innovation to many organizations. In this case, being used for motivations not so noble, the lesson to be learned here is that Mongo DB continues to be an easy exploit. Ensuring that your critical systems are secure and functioning under the policies that you intend is important. Applying intelligent security management to validate your builds – both system and firewalls – to ensure Mongo DB ports are not exposed will prevent these types of data leaks in the future.”

Steve Gates, Chief Research Intelligence Analyst at NSFOCUS:

“Slowloris, released in 2009, is a nothing more than a script designed to slowly consume all available connections on a server.  When all connections are consumed, the server cannot process any new connections; causing a denial of service condition.  Known as a “Layer 7” denial of service attack, the most effective way to defeat Slowloris is to protect servers with anti-DDoS technology, that can easily detect and block a Slowloris attack.   What is interesting here is that Slowloris was being used to help distribute as many spam emails as possible; before a victim server crashed or dropped all existing connections.  Once again, this is a demonstration of the originality and persistence of spammers – that never ceases to amaze.”

.