Attacks/Breaches
3/19/2013
10:05 AM
50%
50%

Anonymous DDoS Attack Report Bogus, Spamhaus Says

Anti-spam service says Russian malware gang launched attack, claims Anonymous accusation was the work of a man listed in its spammer directory.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Anti-spam service Spamhaus Tuesday dismissed reports that its site was targeted by the hacktivist collective Anonymous.

The Anonymous attack campaign was first reported by Softpedia, which said the attackers had declared the Spamhaus Project to be "an offshore criminal network of tax circumventing self-declared Internet terrorists pretending to be 'spam' fighters."

But in a statement published Tuesday titled "Softpedia publish false story of Spamhaus," Spamhaus claimed that the "Softpedia news site was today conned by a spammer into publishing a false article" about the distributed denial of service (DDoS) attack.

"The DDoS attack carried out against the Spamhaus website over the weekend was carried out by a Russian criminal malware gang and NOT by Anonymous," it said. According to Spamhaus, the reporter behind the Softpedia story, Eduard Kovacs, "was conned by a spammer named Andrew Jacob Stephens (listed in Spamhaus ROKSO) who simply posted a fake 'Anonymous Operation' to Pastebin." Contacted by email later Tuesday, Kovacs replied that "I have updated the article to clarify the source of the attack."

ROKSO refers to Spamhaus' Register Of Known Spam Operations database, which lists what it says are the world's top 100 spammers, who collectively account for 80% of all spam. That list includes Stephens, aka "Mail Mascot," and describes him as being a "spamware, spam service and spam list seller" listed as operating from both Florida and Cincinnati. Spamhaus has also published a picture of Stephens, posing with an unnamed woman, and accused him of selling spamware, harvested lists that are falsely labeled as only containing users who opted in, as well as bulletproof hosting services.

[ Want to know about the latest Anonymous investigation? See Anonymous Investigators Probe Reuters Reporter, Sabu. ]

The Spamhaus Project was founded in 1998 by Steve Linford, and is based in Geneva, Switzerland, as well as London, and run by about three dozen investigators and forensic specialists. Numerous service providers, as well as governments and military networks, use Spamhaus' real-time spam-blocking databases (DNSBLs) to help them cut down on spam.

The Pastebin post uploaded Monday and cited by Softpedia had announced the launch of "Operation Stophaus -- Stop Spamhaus" and referenced a website devoted to the "Stophaus movement," which Spamhaus said is run by Stevens.

"Spamhaus has recently blackmailed several multinational carriers into disconnecting clients, breaching their own contracts, without any legal procedure whatsoever, and pretty much everyone on the internet so-far has feared spamhaus too much to report them to the authorities, wether (sic) they have a legal department to do so or not," claimed the Pastebin post. Interestingly, the word "Anonymous" wasn't mentioned in the post, although it did close with a variation on the group's tagline, saying: "We are legion / We never forget / Spamhaus should have expected us."

Spamhaus did, however, alert users Sunday night that it was being targeted as part of a large DDoS attack. The attack appeared to be targeting the service's composite blocking list (CBL) website, which includes the CBL and exploits block list (XBL) of machines that appear to be infected by malware.

"Late last night I, and a number of other folks, received mail from Spamhaus informing us of a major denial of service attack against their servers. The attack is so bad that the website and main mailserver is currently offline," said Laura Tessmer Atkins of anti-spam consultancy Word to the Wise, in a blog posted Monday. "Spamhaus is working to bring the mailserver and website back up, and are hoping to have it up later today."

A Spamhaus media contact didn't immediately respond Tuesday to an emailed request for comment about whether the service was still suffering a DDoS attack. But late Monday, some Spamhaus users were reporting that the affected services appeared to once again be working.

The DDoS attack wasn't the first time that Spamhaus had been targeted by organizations that it blocked or apparently angered.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.