PlusNet publishes Web Mail Incident Report
Sunday 27 May 2007 10:08:14 by
Plusnet (www.plus.net) has recently re-instated its webmail platform with a temporary solution running SquirrelMail which has previously been used
by Metronet, a company PlusNet acquired. It has also released details of its investigation into the previous security incident which can be read in full on community.plus.net.
A brief timeline of the incident:
- 4th May to 8th May: Start of the incident with tickets being raised by customers, which was finally identified as a webmail platform issue on 9th May.
- 9th May to 12th May: A priority problem created and an incident response team formed. Modified HTML files were found on one of six Linux webmail servers, with the intention of trying to
open a pop-up window linking to a Russian website which would try to activate a trojan. Where PlusNet was able to identify people who the trojan had affected, it contacted them to advise on remedial
- 13th May to Tuesday 15th May: A malicious file was found that contained code that allowed an attacker to run commands on the web server itself. This allowed someone to run queries against
the webmail database and transmit the results to a remote location. This was found after customers started to complain about receiving spam to e-mail addresses that were previously spam free. The
data obtained included customer e-mail addresses, entries in customer address book and e-mail addresses with which customers had exchanged messages with using the webmail platform. This included some
old data from before the Atmail solution was implemented in 2004.
- 16th May to 21st May: PlusNet worked closely with the BT security team during this time to improve security across their network. The temporary webmail solution using SquirrelMail was
tested and went live on Saturday 19th May.