“We’re too small to be a target.”
“Nobody wants what we have.”
“Nobody cares about our systems.”
“There isn’t enough money in our bank account for anyone to want.”
These are all phrases that clients of mine have uttered during meetings on the topic of information security. But even if you think have nothing anyone would want, I ask you to think again. In February 2014, hackers targeted the popular website, Meetup.com, ranked the 356th most popular website in the world (and 117th most popular website in the U.S.) at the time of the attacks was taken offline for over a week by hackers. “So what,” you may ask. “Meetup is a huge website! We’re nowhere near that popular.” The initial conclusion that you’re safe because you’re smaller than Meetup makes sense, until you consider that the reason Meetup was targeted was for extortion, for the princely sum of $300.00.
No, I did not misplace a decimal point. As explained on Meetup.com’s blog by Meetup Co-Founder and CEO, Scott Heiferman:
On Thursday morning, I received this email:
Date: Thu, Feb 27, 2014 at 10:26 AM Subject: DDoS attack, warningA competitor asked me to perform a DDoS attack on your website. I can stop the attack for $300 USD. Let me know if you are interested in my offer.Simultaneously, the attack began, our servers were overwhelmed with traffic, and our services went down.
From this email, we conclude that the hackers have invested less than $300 in this attack or they would have demanded more to hold off their DDoS (Distributed Denial of Service) attack. This attack, which used to be something only the most sophisticated (and/or wealthy) hackers could pull off has now been commoditized to the point that it can be had for less than $300. Between this and the extortion fees demanded by the operators of the Cryptolocker malware, it should be quite clear that you do not need to be a high-profile website to be the target of extortion on the Internet. Is your Internet presence important to your business? Have you taken steps to protect yourself from attacks that are becoming more and more common every day? If not, contact your preferred IT security vendor for a free consultation on what steps you can take to protect your business.