Russian botnet hijacks B2B software firm's emails

PCA Predict - formerly Postcode Anywhere - praised for its quick-thinking response

A B2B software firm has praised its staff for their quick thinking after the firm was sent into "meltdown" following a massive email scam from a "large Russian botnet".

PCA Predict - formally Postcode Anywhere - released a blog on Friday after suffering an afternoon of chaos the day before.

At 1:15 on 19 November, PCA Predict noticed its email server was struggling and its bandwidth use surged, followed immediately by its phones "going bonkers".

The spike happened after thousands of people had received emails appearing to be from PCA Predict confirming payment for £120. They then got in touch with the firm to query this.

"It can't actually be from us can it? No, it couldn't be us - we're locked down like a bunker at the best of times," said PCA Predict co-founder Jamie Turner on the blog. "But the messages started to ring panic bells.

"Emails have data hidden in them to help diagnose delivery problems. These 'headers' showed the message originated from one of our servers. How? Worse, the email contained malware and was being sent on a massive scale. Our email server was choked processing all the out-of-office replies and there were tens of thousands of them."

After realising this, Turner said the firm "locked everything down immediately" as it "made no sense at all".

He said by this point, the phone system was "in meltdown" but that staff pulled together quickly to speak to as many affected people as possible.

"Interestingly, the people calling us weren't our customers," he said.

"This was good - at least we hadn't lost any data - but where were they coming from? Suddenly we realised that as well as copying the contents of the original message from us, they had copied the headers, including our internal server names. Sneaky. Digging a bit deeper took us east. East, to a large Russian botnet that was sending them out - about 1.5 million of them."

After discovering the problem, Turner admitted the firm was "at the centre of a massive communications mess", but he praised the quick thinking of staff who moved to solve the problem.

"One of our developers noticed that the emails contained a banner logo which was still pointing to our site," he said. "That explained the increase in traffic and an opportunity to tell people about it. So we switched out the logo with a large red notice highlighting that this email is spam. That gave us time to give the Information Commissioner a heads-up as well as the local police."

The move, which essentially foiled the scammers' plans by highlighting the emails were spam, won the company praise on Twitter.

"1,000,000 internet points to @PCApredict for this gem," said one Twitter user. "Superbly played and good to see the big warning [on] your site too."

Another Twitter user said: "Site realises its images are being hotlinked in spam emails, so changed the image to 'THIS IS SPAM!' Nice one."

Turner said his company and its staff responded admirably to the challenge.

"Things have broadly returned to normal now but there were some easy lessons learned," he said. "Essentially we had to work the problem out and communicate it. Doing both isn't easy with every alarm and phone and warning system crying around you.

"But we also realised the strong position we're in being a techie house. We know how to reroute phone calls on the fly; we have the ability to change our site in a heartbeat and deal with a surge in bandwidth that we were expecting next week for Black Friday, not [Thursday]!"