Meetup.com DDoSed by extortionist, refuses to pay ransom

Filed Under: Denial of Service, Featured, Security threats

Who in the world would launch a distributed denial of service (DDoS) attack against Meetup.com?

That's beyond the pale, suggests one understandably aghast fan:

But a DDoS is exactly what's been plaguing the site, Scott Heiferman, Meetup.com co-founder and CEO, wrote on the company's blog.

Heiferman says that for the first time in its 12 years, the network of local community groups is facing what he calls "a massive attack on its servers".

Extortionist hackers are behind the attack, trying to elbow the site offline, demanding ransom that Meetup refuses to pay.

Two things happened on Thursday morning.

First, Meetup received this email, demanding $300 (£180):

Date: Thu, Feb 27, 2014 at 10:26 AM

Subject: DDoS attack, warning

A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer.

Simultaneously, the attack began.

Meetup.com didn't manage to crawl out from under the attack until Friday morning, and even then it took "many hours" for its defensive system changes to be distributed across the internet, it said.

Meetup logoBefore some users had even managed to see Meetup.com lift its head up to gulp a breath of air, it was down again, as another wave of DDoS sent it back under on Saturday afternoon.

The site re-emerged, for the most part, by midnight on Saturday.

The third and most recent attack hit Meetup.com on Sunday evening, and the company's since spent the past few days shoring up the site and its apps.

Meetup's feeling pretty good about its efforts to ward off the attacks, but there's no saying what the future holds, Heiferman said in his posting:

While we’re confident that we’re taking all the necessary steps to protect against the threat, it’s possible that we’ll face outages in the days ahead.

All this, over a measly $300?

Yup.

It wouldn't matter if the extortionists wanted $3,000,000 or $3 or three fingernail clippings: Meetup is saying stick it, we're not paying.

The company's rationale:

1. We made a decision not to negotiate with criminals.

2. The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated. We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more.

3. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spreads in the criminal world.

4. We are confident we can protect Meetup from this aggressive attack, even if it will take time.

Heiferman commented:

This is an attack on everyone who believes that people are powerful together. We live in a world where criminals can make extortion threats against an organization like ours and temporarily frustrate millions of people.

But we also live in a world where organizers start new Meetup Groups, members show up, people start talking, and communities form. Our platform is built around a simple idea — that if Meetup helps people to find the others, we will all be more powerful and will create the kind of world we want to live in together.

It may sound like pro-Meetup marketing touchy-feely squishiness, but cynicism be damned: he's right.

Cyber-extortionists are going after succinct Twitter handles, hospitals, and even Miss Teen USA.

They might think they're too clever to be tracked down, but they'd be wrong.

They can just go ask the two Polish online gaming programmers who were recently arrested and jailed for 5 years for the DDoSing and cyber-extortion of an online casino.

Good luck to Meetup.com's beleaguered engineering crew. We hope you continue to succeed in fending these guys off, and that somebody in law manages to track them down.

, ,

You might like

8 Responses to Meetup.com DDoSed by extortionist, refuses to pay ransom

  1. rakso75 · 199 days ago

    My girlfriend, a meetup group organizer, got an email from the CEO informing about the DDoS and ensuring her credit card details were safe (organizers of meetup groups pay 12 US$ for 6 months to meetup, they are free to decide if they charge their members or not, and how much and how).

    She was asking me what a DDoS was and why the remark about the card details.

    I have not seen the email, I might update this post with it (or if somebody already has it at hand, can do as well).

    • btocher · 199 days ago

      Ah, if it were only $12 for 6 months - it's $72 for 6 months! But I wish the Meetup team well, and hope this gets sorted out quickly.

      • rakso75 · 199 days ago

        It might depend on the group size, country, objectives or other factors... I presumed it would be the same worldwide, but maybe not. Group created in Netherlands, one year ago, 12 US$ for 6 months, renewed after 6 months, same price, that I know (my assumption that this was general, maybe wrong then).

        This is not related to the theme of this topic, but maybe it will (has) uncover(ed) not so clear sales strategies :))

        P.S.: trying to be a little imaginative (maybe related to reality, maybe not...), online company shows only prices at the moment of purchase of the service, so customers do not know what other customers pay. Due to an attack, customers start to know what others pay and can compare, and from here... what?

  2. As the organizer of a MeetUp.com group it's admittedly been a rollercoaster ride trying to keep the group's get togethers running smoothly without the site's tools but I'm happy to see MeetUp.com will not pay extortionists. No good that way lies...

  3. Ralph Haygood · 199 days ago

    Last November, you published a useful primer on "How to store your users' passwords safely" (http://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/). How about a primer on "How to defend your site against DDoS attacks"? Services like Prolexic are pricey, and some other services are at least a little sketchy. I realize different strategies are appropriate for different kinds of site and hosting arrangement, but an overview of the options would be welcome.

  4. Anonymous · 199 days ago

    It's great to see MeetUp refusing to be intimidated by these criminals - who are, in essence, thugs.

  5. Anonymous · 198 days ago

    They should pay. Tell 'em it's in an envelope marked extortionist at FBI headquarters.

  6. Pale Knight · 198 days ago

    They use CloudFlare? I guess they're safe now?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.