Want your website back? It will cost you.
Meetup.com, a website with nearly 16 million users, was shut down for four days after hackers launched multiple DDoS attacks against it. It would all stop, the hackers wrote, if Meetup’s leadership would pay a ransom.
Their demands? A measly $300. Scott Heiferman, the company’s co-founder and CEO, refused to pay up.
“The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated,” he wrote in a blog post. “We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more.”
DDoS (distributed denial of service) attacks happen when hackers overwhelm a website so that its actual users can’t access it.
While the story sounds bizarre to outsiders, this kind of thing happens all of the time, multiple security experts told NBC News.
"It’s no different than a criminal standing outside the door of your business and not letting anybody in."
“It’s not surprising,” Chris Camejo, director of assessment services at NTT Com Security, told NBC News. “The thing that surprised me is that the press is actually picking up on this, because this kind of thing has been going on under the radar for years and nobody has been paying attention to it.”
It all started with a mafia war, Camejo said. In the late 1990s, the Russian mob began attacking online gambling sites located in Costa Rica, especially before big sporting events like the Super Bowl. They did exactly what Heiferman was afraid would happen with Meetup –- they kept raising the ransom price until it would sometimes reach as high as half a million dollars. Eventually, the American mafiosi who owned the sites got tired of paying, Camejo said, and that is how stateside wiseguys became some of the earliest customers of anti-DDoS technology.
Today, it’s extremely common for companies to suffer DDoS attacks, whether from Eastern European hackers looking to make a buck or politically motivated groups like Anonymous.
Because no customer information is stolen during these attacks, companies usually don’t share details about what happened with the public. That makes it difficult to tell exactly how many DDoS attacks involve ransoms, and $300 is an unusually low amount to demand.
Meetup, which allows users to create activity groups, made the rare move of actually posting the ransom email it received on Thursday morning:
Date: Thu, Feb 27, 2014 at 10:26 AM
Subject: DDoS attack, warning
A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer.
Often, there are multiple parties involved in attacks of this type, with participants scattered across the globe. In some cases, the person making the demands might not be the person carrying out the attack. In the case of Meetup, this could have been one of many attacks, with the hope that enough people would pay small ransoms to turn a tidy profit.
All of these factors make the perpetrators difficult to track down. The Secret Service deals mainly with credit card hacks that may put financial information at risk. The Federal Bureau of Investigation and Interpol could investigate these matters, but the stakes are so low – a website goes offline for a few days – that they usually “have bigger fish to fry,” Camejo said.
Not that the stakes are not high for the companies that are forced offline. Meetup reported that 60,000 meetings were supposed to take place during the attacks. The site’s users, and the paying subscribers who create groups and events, were likely frustrated.
“It’s no different than a criminal standing outside the door of your business and not letting anybody in,” John Pirc, chief technology officer for NSS Labs, told NBC News. “That being said, the likelihood of getting caught is not very high."
That anonymity makes dealing with DDoS attacks just another cost of doing business in the Internet Age. For most companies, preventing malware attacks and the loss of personal information is the top priority. While DDoS attacks are hazardous to profits, they are hard to predict, and the programs meant to protect companies against them are expensive.
That means many companies would rather risk a brief outage than pay for years of security software, Pirc said.
“They are nice to have, they cost a little extra money, but usually the only time that checkbooks open to fit them into the budget is after events like this.”