Basecamp Faces DDoS Extortion Attempt

No Data Compromised in Cybercriminal Attack Jeffrey Roman (gen_sec) • March 25, 2014

The website of Basecamp, which offers a project management tool, was hit with a distributed-denial-of-service attack early on March 24 in what the company describes as an extortion attempt by cybercriminals.

Basecamp founder and CTO David Heinemeier Hansson wrote a blog describing the incident. "The attackers tried to extort us for money to make it stop," Hansson says. "We refused to give in and worked with our network providers to mitigate the attack the best we could."

The attack lasted for about two hours and then suddenly stopped, Hansson says. No data was compromised in the attack.

"We've been in contact with multiple other victims of the same [cybercriminal] group, and unfortunately the pattern in those cases were one of on/off attacks. While things are currently back to normal for almost everyone, there's no guarantee that the attack will not resume," Hansson wrote on March 24.

Hansson says the company is collaborating with other victims and law enforcement. "These criminals are sophisticated and well-armed," Hansson says.

In a similar incident earlier this month, social networking site Meetup faced ongoing DDoS attacks and received a notification the attacks would continue unless it paid a $300 fee (see: DDoS Extortion Targets Social Network).

Tackling a Growing Problem

Both attacks highlight a growing trend of extortion tied to DDoS, says Rodney Joffe, a senior vice president at DDoS protection provider Neustar.

"[These attacks] seem to be [from] a new group of people because they generally haven't been very effective," Joffe says. "They've been relatively easy to mitigate. It's just a matter of time until they get to a point where they are [effective]."

Joffe says he hasn't heard of companies that have actually paid the extortionists to stop the DDoS attacks. "The larger companies are being very cautious to make sure they defend against these things," he says. "It's not yet reached the point where companies have been forced to actually roll over for the extortion."

Dan Holden, a director at Arbor Networks, a DDoS mitigation company, says extortion has been a part of the DDoS threat landscape for quite some time, becoming a global concern for online businesses. "Because these targets generally make their core revenue via their Web presence, there is a greater likelihood of the extortion attempt working," he says.

Still, companies of all sizes need to boost their defenses and ensure they're aware of the possibility that extortion via DDoS can impact them, Joffe explains.

"Companies are much better prepared than they used to be because [DDoS] is much more public," he says. "As part of their preparedness, when they look at their disaster recovery, [companies] more and more have this as an item on their list."

But companies need to continue enhancing their incident response programs. "Expect the fact that this is going to happen [to you]," Joffe says. "It's going to become more widespread as more groups start doing it. They're all going to go through the learning cycle. They all start small and become effective over time."

Preparing for a DDoS attack "should be much the same as other aspects of security in that what you are defending must be taken into consideration - and of course what the loss would be if things were to go down," says Holden of Arbor Networks. "Based on the answers to these questions, you can prepare a response process with a combination of internal resources and technology and external cloud or ISP services."