Blue Security folds under spammer's wrath
securityfocus.com Robert Lemos, SecurityFocus 2006-05-17
Israeli anti-spam startup Blue Security decided on Tuesday to shutter its aggressive anti-spam service, citing threats of further--and more malicious--attacks on its service and users.
The company's service, Blue Frog, enabled nearly a half million users to automatically opt-out of unsolicited bulk e-mail messages, or spam, by each sending a single message back to the advertiser. Collectively, the automated opt-out messages inundated the clients of spammers forcing six of the top-10 bulk e-mail groups to agree to use the company's filtering software to cleanse their mass-mailing lists of any Blue Frog users, according to the firm.
However, one spammer decided to attack back instead. Starting May 1, the spammers--who Blue Security identified as PharmaMaster--attacked the company's Web site and spammed Blue Frog users with even more mass mailings. The attacks not only disrupted Blue Security's operations but knocked out the Web blog hosting service Six Apart and a handful of Internet service providers, including Tucows.
While the company had started recovering from the initial attacks, the spammer promised more to come, said one company source. Those threats and the collateral damage led the firm to decide to shutdown its service.
"We cannot take the responsibility for an ever-escalating cyberwar through our continued operations," Eran Reshef, CEO and founder of Blue Security, said in an e-mail to SecurityFocus. "As we cannot build the Blue Security business on the foundation we originally envisioned, we are discontinuing all of our anti-spam activities and are exploring other, non spam-related avenues for our technological developments."
The closure marks a sudden end to a controversial service and highlights the importance of spam as a source of cash for the underground Internet economy. In December 2005, spam e-mail message accounted for half of all e-mail sent, according to security firm Symantec. (SecurityFocus is owned by Symantec.) While spammers cost companies an estimated $20 billion, they only netted roughly $20 million to $30 million in profits in 2003, according to estimates by analyst firm Ferris Research.
The attacks also underscore the power that criminals can still wield on the Internet, especially through large networks of compromised computers known as bot nets. Bots have become the tool of choice for many online criminals to extort money from legitimate companies by threatening a hard-to-stop denial-of-service (DoS) attack; other criminals use the controller software to install adware on the compromised PCs to earn affiliate fees from the advertising networks.
The success of the attacks also reveals that, despite e-commerce companies' assertions that the Internet has become safe for business, the worldwide network has progressed merely from the Wild West to the equivalent of the 1920s mob-controlled urban centers, said Peter Swire, a law professor at Ohio State University and a member of the advisory board of Blue Security. To fight the online gangs of the Digital Age will take concerted efforts on behalf the U.S. government and other countries, he said.
"This attack was from an organized crime ring on the Internet," Swire said. "The rising amount of extortion on the Internet is a symptom of under-enforcement. It takes concentrated effort to break up any mob, and legitimate companies are at risk of extortion attacks unless enforcement and other cybersecurity measures improve."In a way, Blue Security was following the money.
"If you look at the spam economy, there are the people that spam and then there are their clients--the sponsors," Reshef said. "We are going after the sponsors."
Some critics have charged the service with essentially being a denial-of-service (DoS) attack.
"They were causing a large number of individual packets to be sent with the intent of slowing a spammer's site down," said Anne Mitchell, president of the Institute for Spam and Internet Public Policy. "The intention was to take the server down; the intention was not to cause the user to be opted out."
Reshef denied that the massive submission of opt-out messages could be legally construed as a denial-of-service attack.
"Under the CAN-SPAM Act, the user has a right to send an opt out," Reshef said during a recent interview with SecurityFocus. "We were taking this right and automating it."
The strategy paid off, both for the company and its users. By the end of April, Blue Security had noticed that six of the top-10 spammers had used the firm's filtering service to remove any of its subscribers from the bulk e-mailers' lists, Reshef said.
"In April, we hit this critical mass," he said. "It was like a snowball. We had spammers responsible for 25 percent of the spam on the Net complying or starting to comply with our list."
At least one spammer decided not to comply. The bulk e-mailer, using the moniker PharmaMaster, used a simple technique to divine some of the names on Blue Security's opt-out list: The spammer took a very large list of e-mail addresses, used Blue Security's filter on the list, and compared the results. Any e-mail address on the first list that was not on the filtered list belonged to a Blue Frog user.
On Monday, May 1, a subset of the company's users started getting ten to twenty times the amount of spam they normally received. The messages contained numerous allegations, claiming that the Blue Frog client was illegal, that it took control of people's PCs, and that the subscribers would be criminally prosecuted.
"BlueSecurity was illegally attacking email marketers, and doing so with your help," read a portion of one message, replete with typos. "Many websites have been targeted and hit, including non-spam sites. BlueSecurity's software has been fully analyzed, and contains an abundance of malicious code... YOU CANNOT PARTICIPATE IN ILLEGAL ACTIVITIES and expect to get away with it."
PharmaMaster is a well-known purveyor of generic and fake Viagra and other drugs and herbal remedies, Resehef said, denying the allegations in the e-mail messages. The company posted a note to its site warning its users about the attack and trumpeting the turn of events as a sign of success.
On Tuesday, May 2, however, the company's Web site suddenly went dark, and with it, the company's future as an anti-spam service.
In the early afternoon on May 2, the company received an ICQ message from PharmaMaster, claiming that an administrator for a top-level Internet service provider would start blocking traffic to the company's Web site, according to a timeline posted on the company's site. Soon after, the company verified that its home page became inaccessible to anyone outside of Israel.
The attack came as a surprise, Reshef said.
"We didn't expect a criminal would be able to exercise any control over the backbone," he said.
It's uncertain what exactly happened to Blue Security's site. The IP address for the Web site comes from a block owned by Alternet, which is a backbone network run by the former UUNet, bought by telecommunications company MCI Worldcom, and--as of February 2005--a part of Verizon. However, a representative of the telecommunications company said that Blue Security is not a customer and none of Verizon's administrators would filter out traffic--known as blackholing--to a Web site.
The filtered traffic marked only the beginning. Within a couple of hours, Blue Security's operations--separate from its Web site--came under denial-of-service attack, flooded with anywhere between 2 gigabits and 10 gigabits per second of traffic from tens of thousands of sources.
By then, the company was attempting to get back online. To workaround the backbone filtering that blocked access to its home page, Blue Security decided to change its domain name system (DNS) entries to point to its former blog, hosted by Typepad. A half an hour later, an attacker leveled a flood of packets at bluesecurity.com, but because of the DNS change, the flood did not hit Blue Security's servers but the servers of blog hosting service Six Apart. In what Six Apart called a "sophisticated attack," the company's two blog services--LiveJournal and TypePad--as well as several other portals--such as MovableType.com and SixApart.com--became inaccessible for nearly 8 hours.
"This has affected all of Six Apart's sites, causing intermittent and limited availability," the company said in a statement posted at the time. "Our network operations staff is working around the clock with our Internet access providers to resolve the issue."
Six Apart foiled the attack on its servers early in the morning on May 3 GMT, and the attacker shifted to Blue Security's domain name service provider, Tucows. That attack took out various services offered by the Internet service provider for nearly 12 hours, with its domain name service hit hardest, said Elliot Noss, CEO for Tucows.
"We deal with attacks on a regular basis, and this was an order of magnitude larger than what we are used to seeing," Noss said. "For the first part of the attack, this was seen as a network problem, because it caused connectivity issues for two of our three upstream providers."
Tucows final solution was to "duck away from the problem"--in Noss's words--essentially removing Blue Security's DNS records from its system. The move essentially made Tucows' DNS servers disappear for any computer looking up the address for bluesecurity.com, blunting the attack but also foiling any legitimate user that wanted to find bluesecurity.com.
Blue Security's Reshef, who praised Six Apart for keeping his company's Web page online and accessible, had stern words for Tucows strategy.
"Tucows took us down," he said. "Rather than standing up with us in the fight, they deserted us. They didn't even call us."
Last week, Blue Security hired well-known DoS-defense firm Prolexic to bring its sites back online. While its home page returned to the Internet, consistent service to the Blue Frog clients remained elusive. In an e-mail message sent last week, Reshef indicated the company fully intended to continue to take the fight to spammers.
Then the situation again changed drastically: PharmaMaster took the battle to the company's paying subscribers.
The online battle between PharmaMaster and Blue Security had already had a number of casualties: Internet services, consumer users and the company itself.
The spammer, seeing the success of the attacks, apparently decided that more threatening attacks could win the war. Specifically, PharmaMaster used Blue Security's own tactic against it: The spammer went for the money.
Blue Security built its business model around providing free service for consumers--whose greater number of computers could launch a meaningful attack against spammers--but requiring businesses to pay to protect entire domains.
In a significant shift in the attacks, PharmaMaster began targeting the paying customers, according to sources familiar with the attacks. People at the companies supposedly protected by the Blue Frog system, instead found their systems in greater danger. The spammer hit their networks with denial-of-service attacks and sent e-mail messages laced with computer viruses to their addresses.
For the Israeli company, the attack trumped any of its defenses.
"Blue Security realized that they weren't helping their customers by continuing the fight with the spammers," said Keith Laslop, vice president of business development for Prolexic, the company hired to protect Blue Security's service. "So they have decided to exit the anti-spam business."
The anti-spam company said that it does not blame anyone but the spammer for the turn of events. So far, no lawsuits have been filed by Blue Security or against the company, CEO Reshef said. On Wednesday, the main Web page for the company, bluesecurity.com, could not be accessed by SecurityFocus.
Prolexic itself came under attack soon after taking Blue Security on as a client, according to the company.
"Prolexic Technologies, has been fending malicious cyber attacks from one or more criminal spammers attempting to intimidate the firm, subsequent to Prolexic deploying its system to defend a recent customer," the company stated on its Web site. "These attacks have included a barrage of defamatory spam emails about Prolexic, multi-gigabit DDoS attacks, and mail bombs."
Six Apart, the only other U.S. company substantially affected by the attacks, is currently working with the FBI on an investigation, but the U.S. law enforcement agency would not comment on the investigation.
To advisory board member Swire, the incident represents that the safety of the Internet is only a thin veneer, and that true threats to businesses, like this one, only get lip service from the Bush Administration.
"This shows how vulnerable the Internet infrastructure really is," Swire said. "I'm concerned that cybersecurity has been downgraded in the U.S. government from a White House issue to an issue that gets relatively little support in the Department of Homeland Security."
The outcome of the episode left a bad taste in the mouths of even some critics of Blue Security's service.
"I find the closure of their business very sad," said ISIPP's Mitchell. "I would rather they had tightened up their system and made it legal, than have it closed down."
CORRECTION: The article originally cited the wrong title for Keith Laslop of Prolexic Technologies. He is the vice president of business development. In addition, the article was update with the statement regarding attacks against Prolexic.