A recent DDoS “scam” has been circulating the internet and targeting online businesses. The email is from a group that sends emails to businesses threatening to take down their services via a DDoS (Distributed Denial Of Service) attack on their website. The letter asks for money from the business in the form of bitcoins in order to “protect” the business from attack. Should the business not comply the ransom for removal of the attack goes up in price and increases every day thereafter.
Many businesses have paid up, some as much as 23,000 USD.
However, this DDoS crime ring has never even launched a single attack.
The emails appear to be scare tactics for a threat that doesn’t even exist. And apparently it was convincing enough that the group has claimed almost $100,000 in two months. The attack was reported in CloudFlare’s blog. CloudFlare is a website that helps protect businesses from such attacks.
CloudFlare first noticed that the group had dubbed themselves the “Armada Collective” which is the name of an old DDoS attack group. However it seems that the name has been stolen for use by the group as they are likely not the Armada Collective.
They then noticed that the group reused their BitCoin address in all the emails, meaning they could have no way of knowing who had paid…and who had not. Also, CloudFlare could find no instance where the group had actually launched an attack on one of the businesses threatened.
Given that the attackers can’t tell who has paid the extortion fee and who has not, it is perhaps not surprising to learn that they appear to treat all victims the same: attacking none of them. To date, we’ve not seen a single attack launched against a threatened organization. This is in spite of nearly all of the threatened organizations we’re aware of not paying the extortion fee. We’ve compared notes with fellow DDoS mitigation vendors and none of them have seen any attacks launched since March against organizations that have received Armada Collective threats.
One example of the email appears as follows:
Unfortunately, despite the easily spotted ruse, many businesses fell for the scam and paid up. Apparently they instructed the businesses to Google “Armada Collective”, and since the original Armada Collective actually did partake in some very serious DDoS attacks it would seem that a hasty search might inspire fear in a small online business owner who didn’t know his hacking history. The original Armada Collective was busted and went silent in November of 2015.
The email was also very reminiscent of the original email sent by the real Armada Collective back in 2015. A small business owner Googling Armada Collective now might find some very convincing evidence that this might be a real threat.
If you’re a small business or online business owner you might want to bookmark CloudFlare and other security blogs such as ARS Technica in order to stay on top of the news whenever these threats come out. You could save yourself some trouble, and learn more about how to suss out these attacks in the first place.