FloridaTrend.com, the Website for Florida Business

Attack of the zombies and other cyber-battles

Attack of the Zombies
[Photo: iStock]

Last August, most likely in a forgettable dwelling in a nondescript burg in a former Soviet republic, a young man sat down to his computer in the late afternoon to wreak a little mayhem.

We can only guess, but he might have learned his computer skills at a university; he might be a self-taught teen. Collaborating with fellow hackers in Kazakhstan, Belarus, Peru and the United Arab Emirates, he began typing in code, marshalling an army of personal computers all over the globe that the hackers had infected with viruses. Unknown to the owners of those computers, their machines had become zombies serving in a hacker-controlled squadron called a botnet.

The viruses enable the hacker to command the entire botnet to send a torrent of data — multiple hits on a web page or e-mails, for example — in order to overload a targeted website and knock out its web server or e-mail network. Such attacks are called DDoS — distributed denial of service.

With his forces in place, the hacker entered a final command, and the assault began.

The bull’s-eye last August was SpaFinder, a $60-million revenue company based in New York that sells gift certificates to 20,000 spas around the world.

The SpaFinder attack was two-pronged: The first was a Layer 4 attack, which essentially attempted to overwhelm SpaFinder with more electronic knocks on the door than it could possibly answer. In brick-and-mortar terms, it’s like a mob descending on a store, making nonsensical requests that tie up the clerks while real customers are stuck outside. Once, it took some real tech savvy to mount such an attack. Now there are downloadable “DDoS in a box” kits online.

The second attack was a more sophisticated Layer 7, meant to go deep into SpaFinder’s website and ask for files or make requests that tie up lots of computing power and space.

The DDoS hacker’s motive is unknown — he may only have been seeking bragging rights for taking down a company’s site. Some DDoS hackers have a grudge. A few use the DDoS attack as a smokescreen to sneak deeper into the site to steal customer passwords, money or credit card data. Some DDoS attacks come with ransom demands to lift the attack, though payoffs are rare.

Famously, the self-styled activist group Anonymous uses DDoS — even inviting people to join and providing how-to help — for its agenda. In June 2011, Anonymous launched DDoS attacks on a privately owned Orlando visitors guide website, Mayor Buddy Dyer’s re-election campaign site and other Orlando organizations over a dispute about feeding the homeless in a park.

Pete Ellis
SpaFinder CEO Pete Ellis
The first at SpaFinder to sense something amiss was CEO Pete Ellis. At 7 a.m., he happened to check his site and couldn’t get access. Within an hour, Ellis’ staff told him the SpaFinder website was besieged. Ellis told himself, “We’re not the kind of company someone would go after.” But he came to realize that “it doesn’t matter how big you are. It just matters that someone out there can get brownie points by showing they can take down a site.”

With his web-hosting service unable to provide a fix quickly enough, Ellis recalled another business that had been attacked a few weeks before. He called for advice and was directed to south Florida-based Prolexic, the world’s largest company solely dedicated to defending DDoS attacks, and one of a cluster of Florida companies carving a niche in cyber-security.

Prolexic’s clients include 10 of the world’s largest banks along with other businesses and groups that hire the firm on an annual basis. The company, which doesn’t disclose its fees, also accepts emergency business; after the distress call from SpaFinder, Prolexic engineers went to work.

In a windowless room at the company’s special operations center in Hollywood, the engineers sit at rows of tables, scanning web traffic. Each scrutinizes five monitors, looking for anomalies in eyestrain-inducing lines of data and graphs. “To you and me, it looks like lines,” says Prolexic’s president, Stuart Scholly, but the engineers “know what the signatures look like, the different types of attacks, the order in which attacks are launched.”

The engineers, some of whom work four, 10-hour shifts per week, are a mixed bunch. Most are men with college degrees, though a few ended their formal education with a high school diploma and real-world computer skills. Many have worked for major telecom companies, software developers and other IT businesses. “You’ve got just brilliant people here,” says Prolexic CEO Scott Hammack. “They’re expensive people. But then our revenue per employee is very high as well.”

The first step in restoring SpaFinder’s website was figuratively to throw a switch and route all the traffic hitting SpaFinder’s site to Prolexic. DDoS attacks typically depend on volume; throw 60 gigabits per second of traffic at a company that’s set up to handle 1 gigabit and down goes its website. Rare, large-scale attacks can top 200 gigabits per second; Prolexic’s network can handle 500 gigabits per second.

The engineers blunted the SpaFinder blitz, essentially by absorbing it and spreading it across Prolexic data centers around the world and filtering malicious traffic.

As they sifted out the chaff, Prolexic engineers began letting legitimate traffic flow through to SpaFinder’s site. Some operations were back up the first day, and everything worked within 24 hours, Ellis says. “If it had come in the fourth quarter, I would have been killed,” says Ellis.

Florida Trend exclusive:
Internet security in Florida

On Tuesday, June 12 we had a live chat on internet security in Florida. Hosting was South Florida Editor Mike Vogel and AppRiver Senior Security Analyst Fred Touchette. Read the transcript of the chat here.

Stay tuned to upcoming chats by checking back to

Prolexic executives say targets usually don’t reflect any discernible pattern. Wellness firms like SpaFinder got targeted in 2011, Scholly says. A couple years ago, cosmetics companies got hit. “Couple years before that, it was chocolates.”

Executives at several Florida security firms say businesses should worry less about DDoS attacks and more about other issues such as viruses and malware with their potential for data breach and theft. But DDoS is a growing problem, particularly for e-commerce companies. Gartner Research has seen DDoS attacks in the past two years become more targeted, powerful and frequent, says Gartner security analyst John Pescatore.

There’s certainly no shortage of hackers willing to try. On an ongoing basis, Prolexic tracks more than 4,000 botnet controllers — that is, the servers they use — and has more than 10 million bots in its database. At its “scrubbing” centers, Prolexic quickly cuts off traffic from those bots to its clients’ sites. If the controller of an attack changes the identifiable characteristics of his attacking bots, or changes the type of attack, Prolexic adjusts to the new tactics.

“It can be pretty slick. It becomes ‘us versus them.’ We’ve had to do things where we change the signatures 20, 30, 40 times in an hour,” says the company’s director of security operations, who prefers not to be named for security reasons. “It’s definitely exciting. You name it; we’ve been through it. And then we worry about stuff we might not have been through.”

These days, “us versus them” has become a 24-hour proposition, with the company handling as many as 80 attacks in a day. As one shift of engineers punches out, another takes their seats.

“It’s becoming each day a bigger and bigger problem out there,” Hammack says. “From a timing standpoint, we’re at the right place at the right time.”


» Facebook: Spammers and distributors of malware love it. They provide false information about a free offer or inviting image — a girl in a bikini — to lure users to click on the link and get infected. Sometimes the malware posts the same image or information on the infected person’s “wall,” luring friends into making the same mistake.

Sources of attacks on Facebook

» “You have to see this” — 36%
» New Facebook app — 19%
» Celebrity or current event — 18%
» Free stuff — 26%

Source: Commtouch.com, Internet Threats Trend report, January 2012

» Leading Origins of Spam

1. U.S.
2. India
3. Russia
4. Brazil
5. South Korea
6. Vietnam
7. Indonesia
8. Ukraine
9. Romania
10. Pakistan

Source: AppRiver Threat and Spamscape Report

» Dark Motives

The discovery that a virus called Stuxnet had been used to sabotage the operation of centrifuges in an Iranian uranium-enrichment facility meant that “malware can be and is being used for far more nefarious purposes other than stealing bank accounts. Cyber warfare has officially arrived.”

Spammers used the Japanese earthquake, Bin-Laden’s death and the fall of Gaddafi to attempt to distribute spam e-mails, malware or viruses with enticements for users to click on links to “exclusive video” or (faked) news stories.

— AppRiver Threat and Spamscape Report

Help Wanted

“They can’t hire enough people,” says Eric Ackerman, interim dean at Nova Southeastern University’s Graduate School of Computer and Information Sciences in Davie. “The salaries are fantastic in this area.” Nova carries the National Security Agency and Department of Homeland Security’s imprimatur as a National Center of Academic Excellence in Information Assurance Education. Two other Florida institutions, Florida Tech in Melbourne and Florida State University, hold the same center of excellence designation in research.

“There’s a human capital crisis in cyber-security,” says Richard Ford, director of the Harris Institute for Assured Information at Florida Tech in Melbourne. “That means if you’re good at cyber-security, you can get a job anywhere and you can earn whatever you want.”

“Most of the people end up being hired almost immediately into federal jobs,” Ackerman says.

Underground Economy

For $2,000, the maliciously inclined can buy a malware known as BlackHole that tricks people into going to websites where their computers become infected. In the underground economy, a list of 30,000 e-mails can be had for $5, a compromised PayPal account goes for $50 to $500 and, for just $10, someone can buy a person’s identity, complete with credit card number, date of birth, Social Security number and so on, says Fred Touchette, senior security analyst at AppRiver, a Gulf Breeze security company. Touchette, who has followed BlackHole’s evolution, writes an illuminating guide to trends in nefarious online doings. BlackHole users have success at first, but over time internet defenders figure out the identifiable characteristics of malicious software and e-mails and filter them out. BlackHole users, however, can get new signatures once they’ve been discovered. Turns out, the $2,000 purchase includes a year of tech support.