Online thugs assault security help sites

The good guys are taking a hit in the ongoing online war between the thugs who profit from phishing and malware, and those who work to stop them.

For two weeks, Web sites such as CastleCops.com, which offers help to those hit by malware and actively works to shut down malicious Web sites, have been under attack. In what's known as a DDoS (distributed denial of service), black hats are flooding CastleCops with a barrage of garbage data in an attempt to overwhelm the site and knock it offline.

"It's the folks who are out there in the trenches getting hit," says Paul Laudanski, who founded CastleCops five and a half years ago

Attack spreads

When the attack on CastleCops.com began on Aug. 29, Laudanski says, the site went down for a few hours as he scrambled to apply countermeasures. His site came back up, but the attack soon spread to other helpful sites such as 419eater.com, fraudwatchers.org, scam.com, scamfraudalert.com, and scamwarners.com. Most of these sites are currently unresponsive.

When the hosting provider for another site, aa491.org, dropped the site because the attack became too much for the provider, CastleCops gave aa419.org a home. CastleCops went down again under the combined attack, but is back up again.

The sites are all being hit by botnets, corralled networks of malware-infected computers that can be issued commands by a central controller, or botherder. Botnets are most often used to send money-making spam, but they can also launch DoS attacks where each infected PC sends a steady stream of traffic at a victim site. CastleCops is shouldering the brunt of 20,000 bots as of today, and more than 1,000 additional bots join the fray each day.

Mystery motive

Laundanski says he and others who work at these sites, many of which are not-for-profit, are still unsure about the attack's rationale. And he's likewise uncertain about whether it's one group or many behind it all. He's been able to gather some details, but doesn't want to share them while the threat continues and let his attackers know what he's been able to find out.

But Paul Sop, CTO of Prolexic, a company that defends clients against DDoS attacks, says "the prevailing street theory is that these guys are having an effect." Their advice is helping malware or phishing victims, and their investigations are helping to shut down criminal operations.
"So the botnet guys are targeting them," he says.

Security sites, including CastleCops, have been targeted in the past, but attacks are on the rise, Sop says. In the past five months, he says, there has been an increased focus on attacking organizations on the front lines who try to fight back against the crooks.

Strengthened resolve

But according to Laudanski, who has started a new online forum documenting the ongoing battles, the attacks may backfire.

"The criminals are in it for the money," he says. "It's a huge business for them. [But] we're in it for the feeling that we get being on the side of right."

So this assault shows that "these sites are definitely doing something right," he says, "because we've got the attention of these scammers. It gives us greater resolve."

PC World is an InfoWorld affiliate.