According to BlackSpider Technologies, the first attack happened on Monday at 10:45 a.m.
The firm estimated that more than 455,000 emails containing the trojan Downloader.Win32.Agent.adu hit inboxes of U.K. businesses during a three-hour window of exposure. The trojan was patched by the first anti-virus vendor at 1:45 p.m.
The second wave, containing the trojan Downloader.Win32.Agent.dsl, struck at 5:10 a.m. Tuesday morning, with more than 195,000 trojan infected emails being sent to U.K. businesses before a patch was issued by the antivirus community. The second trojan was patched more than three hours later at 8.15 a.m.
Both emails used the same subject line and text in the body of the email, claiming to be a transaction to online retailer Amazon. The emails also used an executable attachment in both cases.
The only difference between the emails was the size of the payload – the first email was 5,564 bytes, the second 5,712 bytes.
James Kay, chief technical officer, BlackSpider Technologies, said: "This was a particularly opportunist attack. Emails from the first wave were still being released by the hacker when the second wave struck. Antivirus vendors were probably not expecting a second – and very similar – wave to occur while the first attack was still happening. Not only was the first attack successful, it also effectively acted as a smokescreen and allowed the second strike to catch the antivirus community off guard, which is why it enjoyed a window of exposure of more than three hours."