More than 200,000 users of a popular British Internet service are without the ability to access email over the Web, thanks to a spam attack that the ISP is still struggling to resolve.
PlusNet, a popular low-cost service owned by BT, was forced to take its Web-based email servers offline last night following a hack that may have enabled a hacker to steal account information from its customers. The stolen data was used to launch a spam campaign on the victims, and a smaller number of users contracted Trojans as well, PlusNet says.
The problem was first discovered May 9, when PlusNet began to receive complaints of an unusually high degree of spam from some of its customers. Upon further investigation, PlusNet discovered that one of its six Webmail servers had been hacked, and the attackers had gotten away with one of its account lists.
"This list was obtained from our Webmail platform and includes accounts that customers have used to login to Webmail, as well as some email addresses contained in customers' online address books, and addresses customers have sent using our Webmail service," PlusNet says. This means the attack extends beyond PlusNet users to members of other email services, the ISP observes.
The ISP says the attack exploited a vulnerability that "cannot be patched," and therefore it is building new servers for its @Mail system. The company expects to restore email service to its customers tomorrow with a temporary fix, then add a more permanent server configuration next week.
PlusNet has not given details on the vulnerability, the exploit, the number of users affected, or even the makes of the servers or applications involved in the hack. Its notices to customers make multiple references to "the Webmail database," but it does not specifically state whether the data was stolen from a customer database or from an email account server.
"At present, we are working with our vendors and legal authorities, so cannot expand further on this," it said in a message yesterday. Presumably, the ISP is protecting this information until the involved vendors have been notified and given a chance to correct the problem, which is the usual procedure when a vulnerability is identified.
The ISP also did not speculate on the source of the attack, but it appears to suspect someone outside its organization and outside its user base. PlusNet has temporarily restricted its Web portal access to users who registered in the U.K. The company had originally planned to publish an incident report on Friday, but that report has now been postponed until Tuesday.
While it develops a more permanent fix, PlusNet says it will not deliver some types of email, including messages that originate from known spammer addresses and messages tagged as spam by its filtering system. "We are confident that these methods will only block email which is spam," the ISP says.
Tim Wilson, Site Editor, Dark Reading