Attacks/Breaches
3/19/2013
10:05 AM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous DDoS Attack Report Bogus, Spamhaus Says

Anti-spam service says Russian malware gang launched attack, claims Anonymous accusation was the work of a man listed in its spammer directory.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Anti-spam service Spamhaus Tuesday dismissed reports that its site was targeted by the hacktivist collective Anonymous.

The Anonymous attack campaign was first reported by Softpedia, which said the attackers had declared the Spamhaus Project to be "an offshore criminal network of tax circumventing self-declared Internet terrorists pretending to be 'spam' fighters."

But in a statement published Tuesday titled "Softpedia publish false story of Spamhaus," Spamhaus claimed that the "Softpedia news site was today conned by a spammer into publishing a false article" about the distributed denial of service (DDoS) attack.

"The DDoS attack carried out against the Spamhaus website over the weekend was carried out by a Russian criminal malware gang and NOT by Anonymous," it said. According to Spamhaus, the reporter behind the Softpedia story, Eduard Kovacs, "was conned by a spammer named Andrew Jacob Stephens (listed in Spamhaus ROKSO) who simply posted a fake 'Anonymous Operation' to Pastebin." Contacted by email later Tuesday, Kovacs replied that "I have updated the article to clarify the source of the attack."

ROKSO refers to Spamhaus' Register Of Known Spam Operations database, which lists what it says are the world's top 100 spammers, who collectively account for 80% of all spam. That list includes Stephens, aka "Mail Mascot," and describes him as being a "spamware, spam service and spam list seller" listed as operating from both Florida and Cincinnati. Spamhaus has also published a picture of Stephens, posing with an unnamed woman, and accused him of selling spamware, harvested lists that are falsely labeled as only containing users who opted in, as well as bulletproof hosting services.

[ Want to know about the latest Anonymous investigation? See Anonymous Investigators Probe Reuters Reporter, Sabu. ]

The Spamhaus Project was founded in 1998 by Steve Linford, and is based in Geneva, Switzerland, as well as London, and run by about three dozen investigators and forensic specialists. Numerous service providers, as well as governments and military networks, use Spamhaus' real-time spam-blocking databases (DNSBLs) to help them cut down on spam.

The Pastebin post uploaded Monday and cited by Softpedia had announced the launch of "Operation Stophaus -- Stop Spamhaus" and referenced a website devoted to the "Stophaus movement," which Spamhaus said is run by Stevens.

"Spamhaus has recently blackmailed several multinational carriers into disconnecting clients, breaching their own contracts, without any legal procedure whatsoever, and pretty much everyone on the internet so-far has feared spamhaus too much to report them to the authorities, wether (sic) they have a legal department to do so or not," claimed the Pastebin post. Interestingly, the word "Anonymous" wasn't mentioned in the post, although it did close with a variation on the group's tagline, saying: "We are legion / We never forget / Spamhaus should have expected us."

Spamhaus did, however, alert users Sunday night that it was being targeted as part of a large DDoS attack. The attack appeared to be targeting the service's composite blocking list (CBL) website, which includes the CBL and exploits block list (XBL) of machines that appear to be infected by malware.

"Late last night I, and a number of other folks, received mail from Spamhaus informing us of a major denial of service attack against their servers. The attack is so bad that the website and main mailserver is currently offline," said Laura Tessmer Atkins of anti-spam consultancy Word to the Wise, in a blog posted Monday. "Spamhaus is working to bring the mailserver and website back up, and are hoping to have it up later today."

A Spamhaus media contact didn't immediately respond Tuesday to an emailed request for comment about whether the service was still suffering a DDoS attack. But late Monday, some Spamhaus users were reporting that the affected services appeared to once again be working.

The DDoS attack wasn't the first time that Spamhaus had been targeted by organizations that it blocked or apparently angered.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.