, SecurityFocus 2006-05-17
Israeli anti-spam startup Blue Security decided on Tuesday to shutter its aggressive anti-spam service, citing threats of further--and more malicious--attacks on its service and users.
The company's service, Blue Frog, enabled nearly a half million users to automatically opt-out of unsolicited bulk e-mail messages, or spam, by each sending a single message back to the advertiser. Collectively, the automated opt-out messages inundated the clients of spammers forcing six of the top-10 bulk e-mail groups to agree to use the company's filtering software to cleanse their mass-mailing lists of any Blue Frog users, according to the firm.
However, one spammer decided to attack back instead. Starting May 1, the spammers--who Blue Security identified as PharmaMaster--attacked the company's Web site and spammed Blue Frog users with even more mass mailings. The attacks not only disrupted Blue Security's operations but knocked out the Web blog hosting service Six Apart and a handful of Internet service providers, including Tucows.
While the company had started recovering from the initial attacks, the spammer promised more to come, said one company source. Those threats and the collateral damage led the firm to decide to shutdown its service.
"We cannot take the responsibility for an ever-escalating cyberwar through our continued operations," Eran Reshef, CEO and founder of Blue Security, said in an e-mail to SecurityFocus. "As we cannot build the Blue Security business on the foundation we originally envisioned, we are discontinuing all of our anti-spam activities and are exploring other, non spam-related avenues for our technological developments."
The closure marks a sudden end to a controversial service and highlights the importance of spam as a source of cash for the underground Internet economy. In December 2005, spam e-mail message accounted for half of all e-mail sent, according to security firm Symantec. (SecurityFocus is owned by Symantec.) While spammers cost companies an estimated $20 billion, they only netted roughly $20 million to $30 million in profits in 2003, according to estimates by analyst firm Ferris Research.
The attacks also underscore the power that criminals can still wield on the Internet, especially through large networks of compromised computers known as bot nets. Bots have become the tool of choice for many online criminals to extort money from legitimate companies by threatening a hard-to-stop denial-of-service (DoS) attack; other criminals use the controller software to install adware on the compromised PCs to earn affiliate fees from the advertising networks.
The success of the attacks also reveals that, despite e-commerce companies' assertions that the Internet has become safe for business, the worldwide network has progressed merely from the Wild West to the equivalent of the 1920s mob-controlled urban centers, said Peter Swire, a law professor at Ohio State University and a member of the advisory board of Blue Security. To fight the online gangs of the Digital Age will take concerted efforts on behalf the U.S. government and other countries, he said.
"This attack was from an organized crime ring on the Internet," Swire said. "The rising amount of extortion on the Internet is a symptom of under-enforcement. It takes concentrated effort to break up any mob, and legitimate companies are at risk of extortion attacks unless enforcement and other cybersecurity measures improve."