Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Happened to Blue Security

Posted by ryuzaki0 on from the bad-news-for-anti-spam dept.

shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."

7 of 293 comments (clear)

  1. Coral Cache by Rob+T+Firefly · · Score: 5, Informative

    They deserve a break.

    --
    Slashdot Burying Stories About Slashdot Media Owned
  2. For the lazy :) by Spy+der+Mann · · Score: 4, Informative
    Powered by Copy-Paste (TM).

    Timeline (all times in GMT)
    [May 2nd 13:42 GMT]
    PharmaMaster Works to Block Traffic to Blue's Corporate Web Site

    One of the world's largest spammer's, 'PharmaMaster', sends Blue Security an ICQ message stating that he will block traffic to Blue's corporate website, www.bluesecurity.com

    * ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
    * "[tier-1 ISP name withheld] will block traffic to your websites god i love this war :)"

    [May 2nd 14:47 GMT]
    BlueSecurity.com Can't be Accessed Outside of Israel

    Blue Security receives another ICQ message from PharmaMaster stating that Blue's corporate Web site cannot be accessed from outside of Israel.

    * ICQ Message: "bluesecurity.com cant be open from outside of israel oh i feel sorry for the company really :)"

    [May 2nd 15:30 GMT]
    Blue Security's Dedicated Servers - NOT Corporate Website - Under Attack

    Blue Security's operational servers - NOT www.bluesecurity.com - suffers from DDoS attacks.
    [ May 2nd 16:30 GMT]
    Corporate Website Receives 2 Hits/Min

    Blue employees notice that there is no load on the corporate website, www.bluesecurity.com (2 hits per minute) and that most visitors originate from Israel.
    [May 2nd 17:07 GMT]
    PharmaMaster Sends Message: Website Can't be Accessed Around World

    Blue receives another ICQ message from PharmaMaster stating the company's corporate Web site can not be accessed around the world.
    [May 2nd 20:17 GMT]
    Blue Performs Technical Analysis: Confirms Website Cannot be Accessed Abroad

    Blue's technical analysis team determines that its corporate website can still be accessed from Israel, but cannot be accessed abroad.
    [May 2nd 21:17 GMT]
    Blue Reports More Symptoms: "Blackhole filtering" Confirmed

    Blue's operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level). Still, there is no sign that there was a DDoS attack on Blue's website.
    [May 2nd 22:45 GMT]
    Blue Security Decides to Update Blue Community

    Blue Security decides to update the Blue community about the situation by reverting to Blue's pre-launch "Blue Zone" Blog, hosted on Typepad.
    [May 2nd 23:20 GMT]
    BlueSecurity.com Redirected to TypePad

    www.bluesecurity.com is redirected to Blue Security's blog. Many community members can receive real time information about the attack.
    [May 2nd 23:27 GMT]
    First Comment Posted on the Blue Blog

    Blog site at TypePad functional. The first comment is posted on the Blue blog by a user.
    [May 2nd 23:57 GMT]
    Last comment Posted on the Blue Blog Before DDoS Begins

    TypePad blog site still functional. The last comment is posted thirty minutes later on the Blue blog just before the new DDoS attack occurs. (If there had been an initial DDoS attack on Blue's corporate site, the blog site would have been hit)
    [May 3rd 00:00 GMT]
    PharmaMaster Starts Attacking Typepad

    A fierce and ruthless DDoS on Typepad begins. Blue is not aware of the DDoS due to the late hour in Israel (2 AM local time). Typepad continues to carry Blue Security's blog and help Blue keep our community aware of the situation.
    [May 3rd 16:43 GMT]
    PharmaMaster Strikes Again, Takes Down Tucows

    PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
    [May 3rd 23:23 GMT]
    PharmaMaster Boasts Success

    Almost 24 hours later, PharmaMaster boasts success in another ICQ message

    * ICQ Message: "pharma master: you know i feel sorry for you a

    1. Re:For the lazy :) by Anonymous Coward · · Score: 5, Informative

      FFS, RTFA. They clearly say that they were blackholed (*NOT* under a DDoS attack) when they redirected their DNS record to point to their blog. It was only after 'PharmaMaster' realized that the record had changed that the DDoS was launched.

      PharmaMaster went forth with the DDoS with the full knowledge that he was going to hit Six Apart's servers. That was the entire point -- he wanted BlueSecurity off the net entirely and was willing to step on anyone to get it done.

      This was not malicious on BlueSecurity's part.

  3. DNS Vulnerabilities by Billosaur · · Score: 4, Informative

    [May 3rd 16:43 GMT]
    PharmaMaster Strikes Again, Takes Down Tucows

    PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.

    And it was't all that long ago that DNS vulnerabilities were under discussion. Attacking a DNS server not only takes out the site intended, it has the bonus of collateral damage. Imagine the chagrin of all the other sites served by Tucows when they all go down en masse and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.

    --
    GetOuttaMySpace - The Anti-Social Network
  4. Re:Yup, this sucks. by ZachPruckowski · · Score: 5, Informative

    Someone used their tool to clean a list, then compared the clean list to a "pre-scrub" list, which means they didn't gain any email addresses, they just learned something about the emails they already had been sending spam to.

    Don't quit Blue Security. My philosophy boils down to "millions for defense, not a penny for tribute" (Jefferson).

  5. Re:I want names and addresses! by ZachPruckowski · · Score: 4, Informative

    The forum that organized (or at least helped in) the attack is located here, but I think it's still down. It was nailed by a deliberate vigilante DDoS from about a hundred or so Digg members yesterday/last night. They hacked a university to host it after the first host got nailed. Not sure what happened after that.

  6. Re:"operational system" by Da_Weasel · · Score: 5, Informative
    During the DDoS and Blackhole filtering it was only operational in Isreal. The rest of the world was cut off. There were also threatening emails sent to registered users. According to Blue Security their database was not comprimised and the spammer was actually using his own email list to send these email out. Since then I have been receiving 2-3 messages a day from the spammer which contains nothing but the DNS WHOIS record for bluesecurity.com. Here is a copy of the first message I recieved:

    "Hey,You are recieving this email because you are a member of BlueSecurity (http://www.bluesecurity.com).

    You signed up because you were expecting to recieve a lesser amount of spam, unfortunately, due to the tactics used by BlueSecurity, you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally.

    How do you make it stop?

    Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity's database, if you arent there.. you wont get this again.

    We have devised a method to retrieve your address from their database, so by signing up and remaining a BlueSecurity user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers, and will end up getting up even more spam as an end-result.

    By signing up for bluesecurity, you are doing the exact opposite of what you want, so delete your account, and you will stop recieving this.

    Why are we doing this?

    Its simple, we dont want to, but BlueSecurity is forcing us. We would much rather not waste our resources and send you these useless mails, but do not believe for one second that we will stop this tirade of emails if you choose to stay with BlueSecurity. Just remember one thing when you read this, we didnt do this to you, BlueSecurity did.

    If BlueSecurity decides to play fair, we will do the same.

    We are quite sure you will think this will not continue, that we will not continue wasting our resources doing this, feel free to wait out the first 48, or the second, and see whether these stop, you will be quite suprised.

    If you have another email under the protection of bluesecurity, and have not recieved this there, do not worry, you will soon enough.

    We mightve had your email addresses before in our lists, but now, we are targetting YOU, because YOU are a bluesecurity user.

    You might also notice, that the BlueSecurity site(http://www.bluesecurity.com) is down..

    Just remove yourself from BlueSecurity, and make it easier on you.

    Marta Tanner"

    --
    If you must!