A B2B software specialist, PCA Predict (formerly Postcode Anywhere) was hit by a Russian botnet attack last week. Around 1.5 million emails were sent out that purported to be from the business, demanding a payment of GBP £120.
The first thing that the company noticed was that its email server was struggling and then the phones ‘went bonkers’ as people phoned up to get to the bottom of their apparent demand.
PCA Predict co-founder Jamie Turner said of the incident on his blog, “It can’t actually be from us can it? No, it couldn’t be us – we’re locked down like a bunker at the best of times.”
As part of the company’s security, they keep data in their emails to monitor any delivery problems and quickly found out that the emails didn’t come from their servers. This was helped in a large part by the fact that most of the calls to the business over the errant email were from people who didn’t normally do business with them.
The blog continued, “These ‘headers’ showed the message originated from one of our servers. How? Worse, the email contained malware and was being sent on a massive scale. Our email server was choked processing all the out-of-office replies and there were tens of thousands of them.”
They did some digging and located the source of the emails, a so called Russian botnet that had been sending out the emails, that had also copied the hidden headers on the emails to make PCA Predict believe their servers had been compromised. This at least established that they didn’t have an attack on their own servers, which had at this stage been locked down.
“One of our developers noticed that the emails contained a banner logo which was still pointing to our site,” he said. “That explained the increase in traffic and an opportunity to tell people about it. So we switched out the logo with a large red notice highlighting that this email is spam.”
The company learned three things from this: “Essentially we had to work the problem out and communicate it. Doing both isn’t easy with every alarm and phone and warning system crying around you. But we also realised the strong position we’re in being a techie house. We know how to reroute phone calls on the fly; we have the ability to change our site in a heartbeat and deal with a surge in bandwidth that we were expecting next week for Black Friday, not [Thursday]!”