Wednesday, November 4, 2015

Teenage script kiddies "Armada Collective" exposes the problems with Privacy, Security, and openness.

So at VFEmail we've received this nice bit of extortion from some script kiddies:

Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on spam100.vfemail.net
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
 DKIM_VALID_AU,FROM_LOCAL_NOVOWEL,T_RP_MATCHES_RCVD,URIBL_BLOCKED
 autolearn=disabled version=3.3.2
Delivered-To: havokmon.com-rick@havokmon.com
Received: (qmail 28848 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Delivered-To: vfemail.net-postmaster@vfemail.net
Received: (qmail 28846 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Delivered-To: vfemail.net-admin@vfemail.net
Received: (qmail 28844 invoked by uid 89); 4 Nov 2015 01:02:28 -0000
Received: by simscan 1.4.0 ppid: 28791, pid: 28819, t: 1.0843s
         scanners: clamav: 0.95.2/m:51/d:9604
Received: from unknown (HELO mail.bitmessage.ch) (bmE=@172.16.100.34)
  by mx3.vfemail.net with SMTP; 4 Nov 2015 01:02:27 -0000
Received: from mail.bitmessage.ch ([146.228.112.252] helo=mail.bitmessage.ch)
 by assp102.vfemail.net with SMTPS(TLSv1_2 DHE-RSA-AES256-GCM-SHA384) (2.4.1); 3 Nov 2015 19:02:25 -0600
dkim-signature: v=1; a=rsa-sha256; d=bitmessage.ch; s=mail;
 c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
 bh=UjLFuJr9ZzE0RQuG7BJAwaVuMh0Nk6D70JnTVkYpBLo=;
 b=llMH7yYVuMqMr48O2/L9TU5QWYyNsKyHCIu6gLvj7u+PQ7HUY/9LhRIl/kLAADDT8B1hsSTTaA4qll5zwKWcNfzG/8uM08OH4bNgJQzVYbwT3VdU3TiJBB3+vcdeYKmHhUF+67175LkMWNVh+WC3FE3D/yv6CXCrqNkeRuQ7+NI=
Received: from www.bitmessage.ch (BITMESSAGE [127.0.0.1])
 by mail.bitmessage.ch with ESMTPA
 ; Wed, 4 Nov 2015 02:02:19 +0100
X-Squirrel-UserHash:
 BiRDVQY6MhhgXHsMACNYHlcqAGh+dGV2KlBbCgcKHW9Efl5HfCkMDhEDFl1DWVZQagoG
X-Squirrel-FromHash: cV1fVAcLRU8=
Message-ID: <7ca346ad05d1c5851004beb98d913125 .squirrel="" www.bitmessage.ch="">
Date: Tue, 3 Nov 2015 17:02:19 -0800
Subject: Ransom request: DDOS ATTACK!
From: "Armada Collective" 
To: admin@vfemail.net
User-Agent: SquirrelMail/1.4.22
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Assp-ID: assp102.vfemail.net m1-98947-08027
X-Assp-Session: 8C5D5AD8 (mail 1)
X-Assp-Envelope-From: BM-2cTA6PdJ9DJ6y2DsFNLTCn95mbdnAtFor8@bitmessage.ch
X-Assp-Intended-For: admin@vfemail.net
X-Assp-Version: 2.4.1(14200) on assp102.vfemail.net
X-Assp-Client-TLS: yes
X-Assp-Message-Score: -10 (SSL-TLS-connection-OK)
X-Assp-IP-Score: -10 (SSL-TLS-connection-OK)
X-Assp-Delay: not delayed (auto accepted); 3 Nov 2015 19:02:27 -0600
X-Original-Authentication-Results: assp102.vfemail.net; dkim=pass spf=pass
X-Assp-Message-Score: -10 (SPF pass)
X-Assp-IP-Score: -10 (SPF pass)
X-Assp-Message-Score: 10 (Foreign Country CH (GREEN.CH AG))
X-Assp-Message-Score: 20 (Regex:BombRe 'PB 20: for cheap'  bombRe: 'cheap')
X-Assp-IP-Score: 20 (Regex:BombRe 'PB 20: for cheap'  bombRe: 'cheap')
X-Assp-Spam-Level: ***
X-Assp-DKIM: verified-OK

We are Armada Collective.

All your servers will be DDoS-ed starting Friday if you don't pay 5
Bitcoins @ 1C71QxTfzVVBJnkRg2cJpFXLALwDkfvNTz within 24 hours

When we say all, we mean all - users will not be able to access their
email at all.

Right now we will start 15 minutes attack on one of your IPs
(96.30.253.182). It will not be hard, we will not crash it at the moment
to try to minimize eventual damage, which we want to avoid at this moment.
It's just to prove that this is not a hoax. Check your logs!

If you don't pay by Friday , attack will start, price to stop will
increase to 410 BTC and will go up 5 BTC for every day of attack.
In addition, we will go publicly on social networks and recommend your
users to switch to more secure providers like Tutanota and ProtonMail.

If you report this to media and try to get some free publicity by using
our name, instead of paying, attack will start permanently and will last
for a long time.

This is not a joke.

Our attacks are extremely powerful - sometimes over 1 Tbps per second. So,
no cheap protection will help.

Prevent it all with just 5 BTC @ 1C71QxTfzVVBJnkRg2cJpFXLALwDkfvNTz

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL
NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.

So if you can't reach VFEmail - this is why.  Who are this little daisies?  It makes you wonder.  They tried to extort banks in Taiwan last month.  

Are they out for themselves, or working for Tutanota (who?) or Protonmail (I can't connect, maybe they're being DOSd)?   Why would they think we'd believe that they're honest enough to only perform illegal acts once or twice?  These can't be adults - maybe Nigeran scammers?  Though Tor and Bitmessage are a bit more advanced than the Nigerian scammers I've had to shut off.

Unfortunately this is the cost of privacy and security.  This is why the EU wants to ban 'strong encryption'.  Is your Gmail Calendar still down?  Who's running the botnet that is hampering your workday?
How do we infiltrate, and where do we begin?

Are you prepared to accept these costs?  The costs of downtime?  The costs of being 'disconnected'?
Personally,  I don't mind - I can live without this stuff for days.  But I've accepted responsibility for ensuring my users can get their mail - and frankly this is just out of my hands.

Much like main street, the Internet Tubes are filled with small businesses.  We can make laws in one country to help secure end-user systems (which are the likely source), but that doesn't cover other countries.  Non-first world countries where they are lucky to be online.

Who can see this bandwidth? Who can stop this?  I once had an argument with a nice German fellow - they have very strict privacy laws - about what the ISP can block.  You can't block anything in the EU.  In the US we're fighting for open access, and for good reason - but we still have to be responsible netizens. I think the ISP should have the flexibility to block potentially harmful traffic - whether it be email spam, fraud, or denial of service attacks.

This is the threat to the internet as we know it.  These DDOS extortionists.  Not only do they threaten the existence of your favorite online service, they threaten the Internet as a whole.  End users will want access.  Business will want reparations.  How can these guys be caught? Weak Encryption laws like those recently suggested in the EU.  Bandwidth throttling.  ISP service proxying and filtering.  We REALLY don't want these, but unless the black and grey hats put a stop to the worst offenders, we'll all suffer.

Any thoughts?  I'd love to hear them.  What's really bad is that they're not just affecting VFEmail and our silly little 10Mb line - I'm a local guy who supports a local ISP, not some global conglomerate buying from a Tier 1 provider with thousands of peers.  So when they attack, they're affecting a LOT of customers. Here's to hoping the Milwaukee FBI is a customer.

9 comments:

Jostein Johnsen said...

Hilarious. They have prevented me from accessing my notes in my drafts folder. And they've earned a bit of swearing, that they didn't even get to enjoy in person. But yes, of course, don't pay.

Matt said...

I just got this error message when going to the vfemail website:

Your connection is not private

Attackers might be trying to steal your information from vfemail.net (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
Automatically report details of possible security incidents to Google. Privacy policy
ReloadHide advanced
vfemail.net normally uses encryption to protect your information. When Chrome tried to connect to vfemail.net this time, the website sent back unusual and incorrect credentials. Either an attacker is trying to pretend to be vfemail.net, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged.

You cannot visit vfemail.net right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Rick said...

So from a post on EMD Favorites your ISP--which advertises DDoS protection--is just leaving you high and dry. With that wonderful news, what options are there to getting back online?

Blogger said...

Over at Take Free Bitcoin you may claim faucet satoshis. 8 to 22 satoshis every 5 mins.

Blogger said...

I'm using AVG protection for a couple of years now, and I recommend this antivirus to everybody.

Blogger said...

From my experience the ultimate Bitcoin exchange company is YoBit.

Blogger said...

BlueHost is ultimately one of the best hosting provider for any hosting services you might require.

Blogger said...

Ever considered maximizing your free BTC claims with a BTC FAUCET ROTATOR?

Blogger said...

Smart crypto multicurrency mining application & 1-click graphic miner.

Mine effectively with your computer or smartphone. Download MINERGATE.