What Happened to Blue Security

shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."

Coral Cache

[Rob+T+Firefly]

They deserve a break.

Re:Yup, this sucks.

[jtogel]

Come on, if you have never used Bluesecurity, then you were obviously not in their database, and your email could not have been leaked to the spammers! Obviously, the spammers just sent out these FUD spam mails to everyone, just like spammers generally do.

For the lazy :)

[Spy+der+Mann]

Powered by Copy-Paste (TM).

Timeline (all times in GMT)
[May 2nd 13:42 GMT]
PharmaMaster Works to Block Traffic to Blue's Corporate Web Site

One of the world's largest spammer's, 'PharmaMaster', sends Blue Security an ICQ message stating that he will block traffic to Blue's corporate website, www.bluesecurity.com

* ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
* "[tier-1 ISP name withheld] will block traffic to your websites god i love this war :)"

[May 2nd 14:47 GMT]
BlueSecurity.com Can't be Accessed Outside of Israel

Blue Security receives another ICQ message from PharmaMaster stating that Blue's corporate Web site cannot be accessed from outside of Israel.

* ICQ Message: "bluesecurity.com cant be open from outside of israel oh i feel sorry for the company really :)"

[May 2nd 15:30 GMT]
Blue Security's Dedicated Servers - NOT Corporate Website - Under Attack

Blue Security's operational servers - NOT www.bluesecurity.com - suffers from DDoS attacks.
[ May 2nd 16:30 GMT]
Corporate Website Receives 2 Hits/Min

Blue employees notice that there is no load on the corporate website, www.bluesecurity.com (2 hits per minute) and that most visitors originate from Israel.
[May 2nd 17:07 GMT]
PharmaMaster Sends Message: Website Can't be Accessed Around World

Blue receives another ICQ message from PharmaMaster stating the company's corporate Web site can not be accessed around the world.
[May 2nd 20:17 GMT]
Blue Performs Technical Analysis: Confirms Website Cannot be Accessed Abroad

Blue's technical analysis team determines that its corporate website can still be accessed from Israel, but cannot be accessed abroad.
[May 2nd 21:17 GMT]
Blue Reports More Symptoms: "Blackhole filtering" Confirmed

Blue's operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level). Still, there is no sign that there was a DDoS attack on Blue's website.
[May 2nd 22:45 GMT]
Blue Security Decides to Update Blue Community

Blue Security decides to update the Blue community about the situation by reverting to Blue's pre-launch "Blue Zone" Blog, hosted on Typepad.
[May 2nd 23:20 GMT]
BlueSecurity.com Redirected to TypePad

www.bluesecurity.com is redirected to Blue Security's blog. Many community members can receive real time information about the attack.
[May 2nd 23:27 GMT]
First Comment Posted on the Blue Blog

Blog site at TypePad functional. The first comment is posted on the Blue blog by a user.
[May 2nd 23:57 GMT]
Last comment Posted on the Blue Blog Before DDoS Begins

TypePad blog site still functional. The last comment is posted thirty minutes later on the Blue blog just before the new DDoS attack occurs. (If there had been an initial DDoS attack on Blue's corporate site, the blog site would have been hit)
[May 3rd 00:00 GMT]
PharmaMaster Starts Attacking Typepad

A fierce and ruthless DDoS on Typepad begins. Blue is not aware of the DDoS due to the late hour in Israel (2 AM local time). Typepad continues to carry Blue Security's blog and help Blue keep our community aware of the situation.
[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
[May 3rd 23:23 GMT]
PharmaMaster Boasts Success

Almost 24 hours later, PharmaMaster boasts success in another ICQ message

* ICQ Message: "pharma master: you know i feel sorry for you a

Re:For the lazy :)

FFS, RTFA. They clearly say that they were blackholed (*NOT* under a DDoS attack) when they redirected their DNS record to point to their blog. It was only after 'PharmaMaster' realized that the record had changed that the DDoS was launched.

PharmaMaster went forth with the DDoS with the full knowledge that he was going to hit Six Apart's servers. That was the entire point -- he wanted BlueSecurity off the net entirely and was willing to step on anyone to get it done.

This was not malicious on BlueSecurity's part.

DNS Vulnerabilities

[Billosaur]

[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.

And it was't all that long ago that DNS vulnerabilities were under discussion. Attacking a DNS server not only takes out the site intended, it has the bonus of collateral damage. Imagine the chagrin of all the other sites served by Tucows when they all go down en masse and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.

Re:DNS Vulnerabilities

[Rob+T+Firefly]

imagine the PR campaign that Blue Security is going to have to wage to get any credibility back

Considering who Bluesecurity are and what they do, this whole thing has actually seemed to me to serve as pretty good PR for them. It pisses off lots of people, but once the facts were out there pretty much everyone I know got pissed at the spammer, not Bluesecurity. Everyone hates spam, but now they see a spammer taking things to the next level of evil, which really strengthens the image of the "good guys." People who never heard of Bluesecurity before are becomeing ready to do what they can to work against this spammer.

Re:DNS Vulnerabilities

[mikeisme77]

Amen to that. I had never heard of BlueSecurity before this fiasco, but now that I've heard how much trouble they can give these jackass spammers and that they stick to their guns (no matter the cost), I'd like to support them in some way (although I probably won't join the network, as I don't agree with their methods of stopping spam).

Re:DNS Vulnerabilities

[Spy+der+Mann]

...and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.

Um, how about "no such thing as bad publicity"?

In my journal i commented that the attack on Six Apart was the web equivalent of Pearl Harbor. It not only (possibly) called the attention of the authorities towards PharmaMaster, it also became worldwide famous: I've been searching blogs for "blue security" and I've seen a lot of comments from people wanting to sign up when they're back online. One blogger in particular (forgot the url) said that "Blue Security" became the top technorati search during the attacks.

Re:DNS Vulnerabilities

[jjhall]

What part of their methods do you not agree with? All they are doing is automating what you could do on your own. For each spam message you send them, they analyze it and set up a script to make ONE opt-out request on the spammer's website (where they are selling their product) and ONE message each to some and/or all of the upchain ISPs, government agencies that have jurisdiction over the crime, etc. They then forward that script to your BlueFrog client running on your system. If you are the only person that got that spam message, that one message is all that is sent to the spammer and the appropriate authorities.

Now if the spammer sends that message to 1000 BlueSecurity members, they will get 1000 messages generated and sent, one from each of the users they spammed. If they send it to 5000 users, well you get the idea. The more Blue people they spam, the more opt-out requests they get. One for one.

You have a right to do it by yourself, tracking filling out forms on the spammer's ordering site, forwarding a copy to the ISP of the originating IP and/or mail server, forwarding it to the FDA if it is a drug relates spam, etc. How long will that take you? You could easily spend a few hours a day or more doing that.

Enter BlueSecurity stage right. They hire staff to track down the senders of that spam message you just received, just like you would have done. The difference is they take that information and distribute it to everybody else they know received that spam as well.

The thing is, these spammers should understand they have absolutely 0% of a chance of selling that item to any of the members of the Blue community. Why are they bothering to do this when it has no chance whatsoever of giving them even a single cent of profit? They should be happy to have the chance to clean their leads list. I've done telephone sales in the past (calling existing members about renewals) and I was happy to remove people who didn't want to be called from the list. For every person I removed from the list, it meant one less guaranteed no-sale next time the membership list cycled. In the long run I made more sales, and actually helped more people save money (it was cheaper to renew via phone than via the normal process) on a product they wanted.

I understand the calling I was doing is completely different than the spamming in this topic, but the end result is the same. The more guaranteed "no" leads you remove, the higher you sales percentage will be, and the more profits in the long run.

I had heard about Blue before this mess, but never got around to checking into their methods and signing up. Now that I see they are effective, and feel comfortable on how their network and client works (I also thought they DDoS'd the sites until I looked into it,) I have signed up. Now I'm waiting for their system to become fully functionable again so I can verify my account and start kicking spammer tail!

Jeremy

Re:Yup, this sucks.

[Rob+T+Firefly]

Isn't the fact that you, a non-user, got the email proof enough that nothing was leaked? Unless the spammer "hacked" your address from a list it wasn't on (which would be a neat trick) he or she was just spamming everyone available, hoping to get Bluesecurity's users along with it.

publicity!

[celardore]

Even if the servers were temporarily downed, the publicity generated from this incident surely got quite a few new members.

Heck, I even signed up; shall have to wait and see if it's worth it though.

Re:Yup, this sucks.

[ZachPruckowski]

Someone used their tool to clean a list, then compared the clean list to a "pre-scrub" list, which means they didn't gain any email addresses, they just learned something about the emails they already had been sending spam to.

Don't quit Blue Security. My philosophy boils down to "millions for defense, not a penny for tribute" (Jefferson).

Tucow bad behavior?

[stry_cat]

Looks like Tucow really behaved badly. They cancled an account of a legimite user instead of defeating the attack. The should never have given into the spammer's demands.

This isn't just between PharmaMaster & Bluefro

[DigDuality]

Apparently spammers are lining up to help out Pharmamaster from the SpecialHam forums. Digg.com users yesterday attempted lauching multiple types of bandwidth vampirism and DDOS attacks on SpecialHam yesterday as well. http://digg.com/technology/SPAMmers_really_pissed_ off_at_bluesecurity,_read_their_message_board

Backbone level blackholing?

[ladybugfi]

>Blue?s operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level).

No offence to the Blue guys' disrupted service, but I think this is the most interesting bit. I wonder whether this description is correct and if so, how the spammer achieved THAT.

Re:Backbone level blackholing?

Sounds like they paid off some people...

"
* ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
* "[tier-1 ISP name withheld] will block traffic to your websites god i love this war :)""

This was more clear on some other article, but I can't find it at the moment. The spammers supposedly have an engineer on a backbone helping them. All I want to know is how the engineer expected not to be caught (I'm assuming he is caught... or there is a whole heck of lot more corruption out there than I thought)

Re:I want names and addresses!

[ZachPruckowski]

The forum that organized (or at least helped in) the attack is located here, but I think it's still down. It was nailed by a deliberate vigilante DDoS from about a hundred or so Digg members yesterday/last night. They hacked a university to host it after the first host got nailed. Not sure what happened after that.

Client List NOT Compromised!!!

[cyberscan]

What happened was that the spammer complied with instructions from Blue Security to download a program that washed Blue Security protected email addresses from the spammers' sucker list. When theis program was run on the spammer's email list Blue Security email addresses were purged. The spammer simply compared the purged list against his unpurged list and listed all the email addresses that were removed. He then sent the threatening emails to any email address that was purged from the original list.

Blue Security is up and running again. Not only will I continue to use the Blue Frog, I will also promote it now. I do not like bullies, and will do whatever I can to stop them. Blue Security and others that help people punch back against spammers should be commended. I myself have written a signed applet that also punishes spammers.
One can look at it by visiting http://www.plaza1.net/SpammerSlapper .

The applet is GPL, and the source code is embedded in the applet. If you do not want to actually punish spammers, do not accept the certificate. I am also thinking about creating a java application that works in a similar way to Blue Frog - only the complaint instructions will be distributed via a peer to peer protocol and cryptographically signed. Any ideas on this one?

DDoS Extortionists

[Council]

this is a really cool story about how a company handled a DDoS attack by organized crime.

_Detailed_ timeline?

[Whizard]

Wow, if this is a detailed timeline, I'd hate to see the summary.

"Some shit happened."

As a security guy, this could have been really interesting, but it's not.

Poor response

[Grand+Facade]

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
[May 3rd 23:23 GMT]
PharmaMaster Boasts Success

Tucows is a company I will never recommend or use to host any of my domains.
Caving in to a spammer/hacker retaliation will not garner much support.

http://www.joker.com/ serves my needs well

Pharma Master

[jefu]

So, just who is this PharmaMaster guy anyway.

Enquiring minds (and all that) want to know.

Slashdot army unite!

[spyrochaete]

This ferocious attack on Blue Security as well as Typepad and TUCOWS is proof that Blue Security's tactics are working. Spammers are scared to death of Blue Frog because it forces them to comply with the spirit of CANSPAM (since it is worthless in practise). They are so desperate that they are damaging the internet backbone to slightly increase the limited time that spam will be profitable.

Do not listen to FUD-spreading ignoramuses who will no doubt leave many /. comments urging you to stay away from Blue Frog. Spammers do not have Blue Security's member lists - they are simply DIFFing their entire lists with the opt-outs sent by Blue Frog and sharing their filters with the "mailer community". Yes, some members (not me) have been threatened with, and temporarily recieved, more spam. However, this can't last since spammers who do this are simply fighting fire with gasoline! The more spam Blue Frog users get, the more opt-outs the spammer and client recieve which costs them time and money! Plus, regarding threats to leave Blue Frog, does it make sense that a spammer would remove ANY working email address for ANY reason?

Who do you trust to solve your spam problem? Microsoft? Your government? If they really cared, wouldn't the problem have have been solved long before spam encompassed 90% of all email? Blue Security offers a realistic, fair, assertive, and EFFECTIVE means of hitting spammers where it hurts - in the database and in the pocketbook. They need your help to make spam an unprofitable, inconvenient vehicle for advertisers.

I urge each and every /.er to sign up for a Blue Frog account RIGHT NOW (or whenever they're not getting DOSed) and simply forward your spam to yourusername@reports.bluesecurity.com. You can wait a day or two and send many spams as attachments in one email, or you can let the resident client do it for you. It's so easy and the headlines prove that it really does make a difference.

Spammers are childishly thrashing around the internet like a bull in a china shop, having a flailing temper tantrum because people dare to stand up for their privacy. It is the duty of /.ers, as an informed userbase, to stand up for those internet users who don't know how to stand up for themselves.

We have the numbers and the motivation. Aren't you sick and tired of these rich criminals wasting our time, defrauding our elders, and endangering our children day after day? If we stand together, just as the spammers stand together to attack Blue Security, then we WILL win.

Sign up for a Blue Frog account ASAP and encourage your friends and family to do the same, as I have. And if you think it's possible to reason with spammers, check out this CastleCops forum thread that shows inside conversations from a spammer message board.

If they were attacked...

[The+MAZZTer]

...they must be doing something right! I'm signing up.

Thanks PharmaMaster for referring me!

Re:Blackmail tactics

[Urusai]

"...we'll fight them at the routers, we'll fight them on the backbone, we'll fight them at the ISP, we'll fight them at the firewall; we shall never surrender."

Re:"operational system"

[Da_Weasel]

During the DDoS and Blackhole filtering it was only operational in Isreal. The rest of the world was cut off. There were also threatening emails sent to registered users. According to Blue Security their database was not comprimised and the spammer was actually using his own email list to send these email out. Since then I have been receiving 2-3 messages a day from the spammer which contains nothing but the DNS WHOIS record for bluesecurity.com. Here is a copy of the first message I recieved:

"Hey,You are recieving this email because you are a member of BlueSecurity (http://www.bluesecurity.com).

You signed up because you were expecting to recieve a lesser amount of spam, unfortunately, due to the tactics used by BlueSecurity, you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally.

How do you make it stop?

Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity's database, if you arent there.. you wont get this again.

We have devised a method to retrieve your address from their database, so by signing up and remaining a BlueSecurity user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers, and will end up getting up even more spam as an end-result.

By signing up for bluesecurity, you are doing the exact opposite of what you want, so delete your account, and you will stop recieving this.

Why are we doing this?

Its simple, we dont want to, but BlueSecurity is forcing us. We would much rather not waste our resources and send you these useless mails, but do not believe for one second that we will stop this tirade of emails if you choose to stay with BlueSecurity. Just remember one thing when you read this, we didnt do this to you, BlueSecurity did.

If BlueSecurity decides to play fair, we will do the same.

We are quite sure you will think this will not continue, that we will not continue wasting our resources doing this, feel free to wait out the first 48, or the second, and see whether these stop, you will be quite suprised.

If you have another email under the protection of bluesecurity, and have not recieved this there, do not worry, you will soon enough.

We mightve had your email addresses before in our lists, but now, we are targetting YOU, because YOU are a bluesecurity user.

You might also notice, that the BlueSecurity site(http://www.bluesecurity.com) is down..

Just remove yourself from BlueSecurity, and make it easier on you.

Marta Tanner"