FBI Speeds Emotet Cleanup by Sharing Over 4 Million Email Addresses on HIBP
The Agency Believes This Might Be A Suitable Way of Notifying Impacted Individuals and Companies That Their Accounts Had Been Compromised by Emotet.
In another effort to mitigate the effects of the Emotet malware, the Federal Bureau of Investigation has shared 4.3 million email addresses stolen by the botnet with the Have I Been Pwned (HIBP) breach notification site.
According to computer security expert and HIBP creator Troy Hunt, the email addresses span a wide range of countries and domains and are actually sourced from two separate data corpuses obtained by the agencies during the takedown:
- Email credentials stored by Emotet for sending spam via victims’ mail providers;
- Web credentials harvested from browsers that stored them to expedite subsequent logins.
Hunt says the Emotet data will help victims take prompt action to ensure their online accounts have strong, unique passwords that are not reused across services.
As previously reported, on January 27th, 2021, Emotet botnet’s infrastructure has been taken down, effectively disrupting the spread of Emotet malware. This result was achieved as part of an international coordinated operation led by Europol and Eurojust. Law enforcement agencies from all across Europe, including Germany, Ukraine, France, Lithuania, the Netherlands, and the UK collaborated with authorities from the United States to take control of the cybercrime rink’s zombie computer servers.
On April 25th, with the help of the malware module delivered in January, Emotet was removed from all infected devices.
Image Source: Europol
The fact that the FBI decided to add the email addresses on the HIBP platform means that there is a better chance for those affected by Emotet to be notified.
Hunt has flagged the data as “sensitive”, which means that users can enter any email address into HIBP to see if the email address has been exposed in any of the indexed breaches. However, Hunt restricts what HIBP returns for certain types of sensitive breaches, like Emotet. In those cases, users must check their email address or run a domain search.
(…) Individuals will either need to verify control of the address via the notification service or perform a domain search to see if they’re impacted. I’ve taken this approach to avoid anyone being targeted as a result of their inclusion in Emotet. All impacted HIBP subscribers have been sent notifications already.
As highlighted by Emotet’s long-standing history, repairing the damage inflicted by the Trojan when it burrows into your network can be quite expensive to deal with.
Together with the FBI, Hunt listed a few recommendations for those that find themselves affected by the malware:
- Keep an updated security software (antivirus);
- Change your email account password and security questions;
- Use a password manager and create strong, unique passwords;
- Use 2-factor authentication wherever available;
- Keep operating systems and software patched;
- Administrators with affected users should refer to the YARA rules released by DFN Cert, which include rules published by the German BKA.