The hacking of SkyLounge.com

June 1 should have been the beginning of a great week for Marcel van Gemerden. His social networking site for frequent business travelers, SkyLounge, had just launched a suite of new features the week before, and on that Monday morning, the CEO fully expected to be talking to members of the press about the revamped offering. Instead he found himself apologizing to 2,000 journalists -- including reporters from the Wall Street Journal, CNN, the Dallas Morning News and Computerworld -- after a rogue e-mail server slammed them with some 75,000 e-mails.

That morning, attackers broke into the SkyLounge mail server, uploaded a list containing the e-mail addresses of the journalists and launched the attack. While none of SkyLounge's 20,000 customers were affected (SkyLounge's own mail list was encrypted), spamming 2,000 journalists was nonetheless a damaging PR blow for the small business, which van Gemerden launched with his own capital in February of 2008 and continues to fund from his own pocketbook.

Dirty tricks

The attack worked by tricking the victims into spamming one another. Each journalist initially received an e-mail informing him that he was on the SkyLounge mail list, along with instructions for removing his name from it. But when a person replied with "unsubscribe" in the subject line, the server didn't remove them. Instead it rebroadcast the message to the sender and everyone else on the list.

"When people started getting upset and wanted to remove themselves it was like a snowball coming down Mount Everest. Many people tried to remove themselves three or four times," van Gemerden says.

Early warning 

van Gemerden knew even before the attack started that something was amiss. When he first arrived that morning, he couldn't log into his own e-mail account. "Right then I knew either the site was down or the password had been changed," he says.

But the site wasn't down. An attacker had somehow obtained his e-mail password and changed it, locking him out.

van Gemerden's account also had access to the mail server. "We knew they were in the mail server but we didn't know what they were going to do," he says.

Within 15 minutes, it was obvious.

The situation was rapidly devolving into a public relations disaster, and van Gemerden's staff was still struggling to regain control over the rogue server. van Gemerden put this warning banner on his home page, and the staff got to work.

Shutting down the system didn't work. After five minutes, it turned itself back on and continued spamming. SkyLounge's IT staff then pulled the server offline for about 12 hours, found what they thought was the offending code, removed it, and restarted the machine. One hour later the spamming commenced once again. This cycle of shutting down, searching, removing code and relaunching repeated itself several more times before the staff finally had all of the malware off the machine and could declare it clean and stable. "[The attackers] put four or five things on there to keep it going," van Gemerden says. "They were very smart people."

Damage control

The better part of a day went by before van Gemerden's staff finally had the situation under control. Throughout it all, van Gemerden kept the public upated through the SkyLounge Web site.

When I called van Gemerden the next morning, he was still mopping up, responding to angry e-mails and making personal apologies. "I'm just trying to control the damage in terms of our reputation and make sure everyone knows that we're not in the business of spamming everybody," he said. At that point, he had personally spoken with 200 journalists and had sent letters of apology to another 400.

van Gemerden still doesn't know exactly how the attackers got his password, but he has put additional security layers in place to ensure that the same attack can't happen again. As for the PR damage, a personal call and an apology from CEO seems to have helped to contain the damage. van Gemerden says that most of the journalists he spoke with were "very nice." van Gemerden also offered each victim a free subscription to SkyLounge's premium services for their trouble.

"While it may seem extreme, the reaction of this particular CEO was excellent," says David Bartlett, vice president at the crisis management firm Levick Strategic Communications in Washington, DC. In a situation like this he recommends personally reaching out with an apology and an explanation - not an excuse. "Don't just blame technology," he warns.

In a situation like SkyLounge's, Bartlett would normally recommend picking up the phone over sending additional e-mails. He points out that an apology sent by e-mail may be blocked if the affected persons have flagged e-mail from SkyLounge.com as spam. Even if they didn't block further messages, the intended recipient may not bother to read new messages from SkyLounge.com.

But in this particular situation that decision is a tough call, he says. With 2,000 people to contact, Bartlett acknowledges that it may not have been practical for van Gemerden to make a personal call to each one.

Malicious intent

van Gemerden still doesn't know who the attackers were. Although the IP addresses of the hackers seem to have come from Russia and Kazakstan, van Gemerden knows that those addresses could easily have been spoofed. "It could have been someone from Germany or Spain or France," he says.

The intent of the attack also remains a mystery. Was SkyLounge the victim of hackers having a little fun, or was the attack, targeting 2,000 journalists, a more sinister attempt to damage the company's reputation? "When I first saw [the attack], all sorts of things started running through my mind," van Gemerden admits.

"What happened [to SkyLounge] is, alas, going to be happening more and more as we go forward," Bartlett says. And it could have been worse: He has seen spam e-mails that included a link or embedded code designed to steal address book information from each victim, perpetuating the spam attack across an even wider spectrum of people.

van Gemerden prefers to believe that the whole thing was simply a random act of hacking. "I don't think another company would do something like this," he says, then pauses. "Then again, you never know."