Who in the world would launch a distributed denial of service (DDoS) attack against Meetup.com?
That’s beyond the pale, suggests one understandably aghast fan:
Who does a DDoS on @Meetup? Do they hate kittens, too?
— Sean McCann (@mccannst) February 27, 2014
But a DDoS is exactly what’s been plaguing the site, Scott Heiferman, Meetup.com co-founder and CEO, wrote on the company’s blog.
Heiferman says that for the first time in its 12 years, the network of local community groups is facing what he calls “a massive attack on its servers”.
Extortionist hackers are behind the attack, trying to elbow the site offline, demanding ransom that Meetup refuses to pay.
Two things happened on Thursday morning.
First, Meetup received this email, demanding $300 (£180):
Date: Thu, Feb 27, 2014 at 10:26 AM
Subject: DDoS attack, warning
A competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer.
Simultaneously, the attack began.
Meetup.com didn’t manage to crawl out from under the attack until Friday morning, and even then it took “many hours” for its defensive system changes to be distributed across the internet, it said.
Before some users had even managed to see Meetup.com lift its head up to gulp a breath of air, it was down again, as another wave of DDoS sent it back under on Saturday afternoon.
The site re-emerged, for the most part, by midnight on Saturday.
The third and most recent attack hit Meetup.com on Sunday evening, and the company’s since spent the past few days shoring up the site and its apps.
Meetup’s feeling pretty good about its efforts to ward off the attacks, but there’s no saying what the future holds, Heiferman said in his posting:
While we’re confident that we’re taking all the necessary steps to protect against the threat, it’s possible that we’ll face outages in the days ahead.
All this, over a measly $300?
It wouldn’t matter if the extortionists wanted $3,000,000 or $3 or three fingernail clippings: Meetup is saying stick it, we’re not paying.
The company’s rationale:
1. We made a decision not to negotiate with criminals.
2. The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated. We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more.
3. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spreads in the criminal world.
4. We are confident we can protect Meetup from this aggressive attack, even if it will take time.
This is an attack on everyone who believes that people are powerful together. We live in a world where criminals can make extortion threats against an organization like ours and temporarily frustrate millions of people.
But we also live in a world where organizers start new Meetup Groups, members show up, people start talking, and communities form. Our platform is built around a simple idea — that if Meetup helps people to find the others, we will all be more powerful and will create the kind of world we want to live in together.
It may sound like pro-Meetup marketing touchy-feely squishiness, but cynicism be damned: he’s right.
Cyber-extortionists are going after succinct Twitter handles, hospitals, and even Miss Teen USA.
They might think they’re too clever to be tracked down, but they’d be wrong.
They can just go ask the two Polish online gaming programmers who were recently arrested and jailed for 5 years for the DDoSing and cyber-extortion of an online casino.
Good luck to Meetup.com’s beleaguered engineering crew. We hope you continue to succeed in fending these guys off, and that somebody in law manages to track them down.
8 comments on “Meetup.com DDoSed by extortionist, refuses to pay ransom”
My girlfriend, a meetup group organizer, got an email from the CEO informing about the DDoS and ensuring her credit card details were safe (organizers of meetup groups pay 12 US$ for 6 months to meetup, they are free to decide if they charge their members or not, and how much and how).
She was asking me what a DDoS was and why the remark about the card details.
I have not seen the email, I might update this post with it (or if somebody already has it at hand, can do as well).
Ah, if it were only $12 for 6 months – it’s $72 for 6 months! But I wish the Meetup team well, and hope this gets sorted out quickly.
It might depend on the group size, country, objectives or other factors… I presumed it would be the same worldwide, but maybe not. Group created in Netherlands, one year ago, 12 US$ for 6 months, renewed after 6 months, same price, that I know (my assumption that this was general, maybe wrong then).
This is not related to the theme of this topic, but maybe it will (has) uncover(ed) not so clear sales strategies :))
P.S.: trying to be a little imaginative (maybe related to reality, maybe not…), online company shows only prices at the moment of purchase of the service, so customers do not know what other customers pay. Due to an attack, customers start to know what others pay and can compare, and from here… what?
As the organizer of a MeetUp.com group it’s admittedly been a rollercoaster ride trying to keep the group’s get togethers running smoothly without the site’s tools but I’m happy to see MeetUp.com will not pay extortionists. No good that way lies…
Last November, you published a useful primer on “How to store your users’ passwords safely” (http://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/). How about a primer on “How to defend your site against DDoS attacks”? Services like Prolexic are pricey, and some other services are at least a little sketchy. I realize different strategies are appropriate for different kinds of site and hosting arrangement, but an overview of the options would be welcome.
It’s great to see MeetUp refusing to be intimidated by these criminals – who are, in essence, thugs.
They should pay. Tell ’em it’s in an envelope marked extortionist at FBI headquarters.
They use CloudFlare? I guess they’re safe now?