Shortly after my Security Absurdity article was posted online, we witnessed a remarkable series of events which illustrates quite clearly that cybercriminals are indeed currently winning the battle.
In my article, I mentioned that one of the challenges security professionals face is that cyberspace’s digital battlefield heavily favors the cybercriminal. The freedom, privacy, and anonymity cyberspace offers gives cybercriminals the opportunity and confidence to target victims around the world with little chance of being caught. Spam is so prevalent because the economics of spam are attractive for both the spammers and the companies that pay them to spam.
Anti-spam vendor Blue Security aimed to change all this by rewriting the rules of the game with an unconventional – yet by all measures highly effective – method. Blue Security plan was to make cyberspace socially, technically, and legally hostile to cybercriminals. (More on this topic in a future post.)
Blue Security’s approach to reducing unsolicited email is to combine a Do-Not-Email registry with a mechanism that automates and simplifies the user’s process of sending an opt-out email message. Under the US CAN-SPAM Act of 2003, individuals are legally allowed to send an opt-out email and Blue Security was simply automating this ability. If messages are sent to Blue Security customers, in violation of Blue Security’s Do Not Email registry, Blue Security identifies the merchant advertised in the messages and issues an initial complaint and tries to resolve the situation. If the initial complaint is not resolved satisfactorily within a ten day grace period, Blue Security instructs their Blue Frog agent installed on each of their customer’s computers to automatically send an opt-out email message to the merchant responsible for the spam. The fundamental economics of sending unsolicited emails change when this happens, because the sender now has to ensure that they have the resources to handle the flood of legitimate opt-out requests. (More details on Blue Security’s model can be found here.)
Some have inaccurately described the Blue Security model as a DDOS. Sending spam, and hiring individuals to hijack computers in order to build botnets which can then be used to send spam is illegal. Under CAN-SPAM, individuals are legally allowed to send an opt-out email and Blue Security was simply automating this ability. The risk with any “strike-back” technology was that the wrong sites and individuals may be hit. Blue Security had a number of safeguards against this by attempting to contact the site and resolve the situation before starting an automated opt-out response. Allowing any individual to launch their own DDOS attack against spam sites at their whim would be dangerous and irresponsible. However, Blue Security had a responsible model with built-in safeguards. And one thing that can’t be argued is that it was successful in reducing the appeal of sending spam. According to Blue Security, 6 out of 10 top spammers were complying with Blue Securityâ�?��?�s Do-Not-Email registry.
It was so successful, in fact, that a spammer (or group of spammers) known as PharmaMaster decided to fight back. PharmaMaster instructed his botnet to launch a DDOS attack against Blue Security. The resulting DDOS attack was so severe that it shut down:
Tucows chief executive Elliot Noss called the attack “by far the largest the company had ever seen” and said that only a handful of companies have the infrastructure in place to withstand such an assault. In cyberspace, a single anti-spam vendor was no match for PharmaMaster. Shortly after the attack began, Blue Security closed up shop.
1) In order to be successful against cybercriminals, we must make cyberspace socially, technically, and legally hostile to them. Blue Security model – while unconventional – worked.
2) A small groups of spammers were able to easily shut down a number of large web sites which had considerable DDOS defenses already in place. They were able to do this without detection and without repercussions. The fact that these cybercriminals have this much control over cyberspace should be of much concern to everyone.
3) A single anti-spam vendor was no match for the resources that cybercriminals have. That is why any effort to stop cybercriminals must take industry and community-wide initiatives and support.
Todd Underwood, chief of operations and security for Renesys Corp., a company that monitors Internet connectivity, remarked that this event was, “extremely unfortunate, because it shows how much the spammers are winning this battle.”
Security Vendor vs. Cybercriminal.
Result: Technical Knock Out.
…and it wasn’t even close.