Blue Security folds under spammer's wrath
Robert Lemos, SecurityFocus 2006-05-17
Israeli anti-spam startup Blue Security decided on Tuesday to shutter
its aggressive anti-spam service, citing threats of further--and more
malicious--attacks on its service and users.
The company's service, Blue Frog, enabled nearly a half million users
to automatically opt-out of unsolicited bulk e-mail messages, or
spam, by each sending a single message back to the advertiser.
Collectively, the automated opt-out messages inundated the clients of
spammers forcing six of the top-10 bulk e-mail groups to agree to use
the company's filtering software to cleanse their mass-mailing lists
of any Blue Frog users, according to the firm.
However, one spammer decided to attack back instead. Starting May 1,
the spammers--who Blue Security identified as PharmaMaster--attacked
the company's Web site and spammed Blue Frog users with even more
mass mailings. The attacks not only disrupted Blue Security's
operations but knocked out the Web blog hosting service Six Apart and
a handful of Internet service providers, including Tucows.
While the company had started recovering from the initial attacks,
the spammer promised more to come, said one company source. Those
threats and the collateral damage led the firm to decide to shutdown
its service.
"We cannot take the responsibility for an ever-escalating cyberwar
through our continued operations," Eran Reshef, CEO and founder of
Blue Security, said in an e-mail to SecurityFocus. "As we cannot
build the Blue Security business on the foundation we originally
envisioned, we are discontinuing all of our anti-spam activities and
are exploring other, non spam-related avenues for our technological
developments."
The closure marks a sudden end to a controversial service and
highlights the importance of spam as a source of cash for the
underground Internet economy. In December 2005, spam e-mail message
accounted for half of all e-mail sent, according to security firm
Symantec. (SecurityFocus is owned by Symantec.) While spammers cost
companies an estimated $20 billion, they only netted roughly $20
million to $30 million in profits in 2003, according to estimates by
analyst firm Ferris Research.
The attacks also underscore the power that criminals can still wield
on the Internet, especially through large networks of compromised
computers known as bot nets. Bots have become the tool of choice for
many online criminals to extort money from legitimate companies by
threatening a hard-to-stop denial-of-service (DoS) attack; other
criminals use the controller software to install adware on the
compromised PCs to earn affiliate fees from the advertising networks.
The success of the attacks also reveals that, despite e-commerce
companies' assertions that the Internet has become safe for business,
the worldwide network has progressed merely from the Wild West to the
equivalent of the 1920s mob-controlled urban centers, said Peter
Swire, a law professor at Ohio State University and a member of the
advisory board of Blue Security. To fight the online gangs of the
Digital Age will take concerted efforts on behalf the U.S. government
and other countries, he said.
"This attack was from an organized crime ring on the Internet," Swire
said. "The rising amount of extortion on the Internet is a symptom of
under-enforcement. It takes concentrated effort to break up any mob,
and legitimate companies are at risk of extortion attacks unless
enforcement and other cybersecurity measures improve."
Until the beginning of May, Blue Security's Reshef believed his
company's service looked ready for explosive growth.
The firm's Blue Frog service had gathered about 450,000 subscribers.
Each user, who in general tended to have strong anti-spam feelings,
had downloaded the free software agent to their computer and
subscribed to the service.
The Blue Frog agent, which integrates with Yahoo! Mail, GMail and
Hotmail, uses a central database to check incoming e-mail messages
for known spam. When a match is found, the software selects a form
from the site advertised in the e-mail message, and submits a message
asking to be removed from the spammer's list. Because Blue Security
had nearly a half million user signed up, companies who use spam
lists will likely have their Web sites inundated with tens of
thousands of messages.
In a way, Blue Security was following the money.
"If you look at the spam economy, there are the people that spam and
then there are their clients--the sponsors," Reshef said. "We are
going after the sponsors."
Some critics have charged the service with essentially being a denial-
of-service (DoS) attack.
"They were causing a large number of individual packets to be sent
with the intent of slowing a spammer's site down," said Anne
Mitchell, president of the Institute for Spam and Internet Public
Policy. "The intention was to take the server down; the intention was
not to cause the user to be opted out."
Reshef denied that the massive submission of opt-out messages could
be legally construed as a denial-of-service attack.
"Under the CAN-SPAM Act, the user has a right to send an opt out,"
Reshef said during a recent interview with SecurityFocus. "We were
taking this right and automating it."
The strategy paid off, both for the company and its users. By the end
of April, Blue Security had noticed that six of the top-10 spammers
had used the firm's filtering service to remove any of its
subscribers from the bulk e-mailers' lists, Reshef said.
"In April, we hit this critical mass," he said. "It was like a
snowball. We had spammers responsible for 25 percent of the spam on
the Net complying or starting to comply with our list."
At least one spammer decided not to comply. The bulk e-mailer, using
the moniker PharmaMaster, used a simple technique to divine some of
the names on Blue Security's opt-out list: The spammer took a very
large list of e-mail addresses, used Blue Security's filter on the
list, and compared the results. Any e-mail address on the first list
that was not on the filtered list belonged to a Blue Frog user.
On Monday, May 1, a subset of the company's users started getting ten
to twenty times the amount of spam they normally received. The
messages contained numerous allegations, claiming that the Blue Frog
client was illegal, that it took control of people's PCs, and that
the subscribers would be criminally prosecuted.
"BlueSecurity was illegally attacking email marketers, and doing so
with your help," read a portion of one message, replete with typos.
"Many websites have been targeted and hit, including non-spam sites.
BlueSecurity's software has been fully analyzed, and contains an
abundance of malicious code... YOU CANNOT PARTICIPATE IN ILLEGAL
ACTIVITIES and expect to get away with it."
PharmaMaster is a well-known purveyor of generic and fake Viagra and
other drugs and herbal remedies, Resehef said, denying the
allegations in the e-mail messages. The company posted a note to its
site warning its users about the attack and trumpeting the turn of
events as a sign of success.
On Tuesday, May 2, however, the company's Web site suddenly went
dark, and with it, the company's future as an anti-spam service.
In the early afternoon on May 2, the company received an ICQ message
from PharmaMaster, claiming that an administrator for a top-level
Internet service provider would start blocking traffic to the
company's Web site, according to a timeline posted on the company's
site. Soon after, the company verified that its home page became
inaccessible to anyone outside of Israel.
The attack came as a surprise, Reshef said.
"We didn't expect a criminal would be able to exercise any control
over the backbone," he said.
It's uncertain what exactly happened to Blue Security's site. The IP
address for the Web site comes from a block owned by Alternet, which
is a backbone network run by the former UUNet, bought by
telecommunications company MCI Worldcom, and--as of February 2005--a
part of Verizon. However, a representative of the telecommunications
company said that Blue Security is not a customer and none of
Verizon's administrators would filter out traffic--known as
blackholing--to a Web site.
The filtered traffic marked only the beginning. Within a couple of
hours, Blue Security's operations--separate from its Web site--came
under denial-of-service attack, flooded with anywhere between 2
gigabits and 10 gigabits per second of traffic from tens of thousands
of sources.
By then, the company was attempting to get back online. To workaround
the backbone filtering that blocked access to its home page, Blue
Security decided to change its domain name system (DNS) entries to
point to its former blog, hosted by Typepad. A half an hour later, an
attacker leveled a flood of packets at bluesecurity.com, but because
of the DNS change, the flood did not hit Blue Security's servers but
the servers of blog hosting service Six Apart. In what Six Apart
called a "sophisticated attack," the company's two blog services--
LiveJournal and TypePad--as well as several other portals--such as
MovableType.com and SixApart.com--became inaccessible for nearly 8
hours.
"This has affected all of Six Apart's sites, causing intermittent and
limited availability," the company said in a statement posted at the
time. "Our network operations staff is working around the clock with
our Internet access providers to resolve the issue."
Six Apart foiled the attack on its servers early in the morning on
May 3 GMT, and the attacker shifted to Blue Security's domain name
service provider, Tucows. That attack took out various services
offered by the Internet service provider for nearly 12 hours, with
its domain name service hit hardest, said Elliot Noss, CEO for
Tucows.
"We deal with attacks on a regular basis, and this was an order of
magnitude larger than what we are used to seeing," Noss said. "For
the first part of the attack, this was seen as a network problem,
because it caused connectivity issues for two of our three upstream
providers."
Tucows final solution was to "duck away from the problem"--in Noss's
words--essentially removing Blue Security's DNS records from its
system. The move essentially made Tucows' DNS servers disappear for
any computer looking up the address for bluesecurity.com, blunting
the attack but also foiling any legitimate user that wanted to find
bluesecurity.com.
Blue Security's Reshef, who praised Six Apart for keeping his
company's Web page online and accessible, had stern words for Tucows
strategy.
"Tucows took us down," he said. "Rather than standing up with us in
the fight, they deserted us. They didn't even call us."
Last week, Blue Security hired well-known DoS-defense firm Prolexic
to bring its sites back online. While its home page returned to the
Internet, consistent service to the Blue Frog clients remained
elusive. In an e-mail message sent last week, Reshef indicated the
company fully intended to continue to take the fight to spammers.
Then the situation again changed drastically: PharmaMaster took the
battle to the company's paying subscribers.
The online battle between PharmaMaster and Blue Security had already
had a number of casualties: Internet services, consumer users and the
company itself.
The spammer, seeing the success of the attacks, apparently decided
that more threatening attacks could win the war. Specifically,
PharmaMaster used Blue Security's own tactic against it: The spammer
went for the money.
Blue Security built its business model around providing free service
for consumers--whose greater number of computers could launch a
meaningful attack against spammers--but requiring businesses to pay
to protect entire domains.
In a significant shift in the attacks, PharmaMaster began targeting
the paying customers, according to sources familiar with the attacks.
People at the companies supposedly protected by the Blue Frog system,
instead found their systems in greater danger. The spammer hit their
networks with denial-of-service attacks and sent e-mail messages
laced with computer viruses to their addresses.
For the Israeli company, the attack trumped any of its defenses.
"Blue Security realized that they weren't helping their customers by
continuing the fight with the spammers," said Keith Laslop, vice
president of business development for Prolexic, the company hired to
protect Blue Security's service. "So they have decided to exit the
anti-spam business."
The anti-spam company said that it does not blame anyone but the
spammer for the turn of events. So far, no lawsuits have been filed
by Blue Security or against the company, CEO Reshef said. On
Wednesday, the main Web page for the company, bluesecurity.com, could
not be accessed by SecurityFocus.
Prolexic itself came under attack soon after taking Blue Security on
as a client, according to the company.
"Prolexic Technologies, has been fending malicious cyber attacks from
one or more criminal spammers attempting to intimidate the firm,
subsequent to Prolexic deploying its system to defend a recent
customer," the company stated on its Web site. "These attacks have
included a barrage of defamatory spam emails about Prolexic, multi-
gigabit DDoS attacks, and mail bombs."
Six Apart, the only other U.S. company substantially affected by the
attacks, is currently working with the FBI on an investigation, but
the U.S. law enforcement agency would not comment on the
investigation.
To advisory board member Swire, the incident represents that the
safety of the Internet is only a thin veneer, and that true threats
to businesses, like this one, only get lip service from the Bush
Administration.
"This shows how vulnerable the Internet infrastructure really is,"
Swire said. "I'm concerned that cybersecurity has been downgraded in
the U.S. government from a White House issue to an issue that gets
relatively little support in the Department of Homeland Security."
The outcome of the episode left a bad taste in the mouths of even
some critics of Blue Security's service.
"I find the closure of their business very sad," said ISIPP's
Mitchell. "I would rather they had tightened up their system and made
it legal, than have it closed down."
Copyright 2005, SecurityFocus
generated by msg2page 0.06 on Jul 21, 2006 at 19:03:30
