In about two hours if threats are carried out, email marketing service Mad Mimi (CrunchBase) will be hit with another denial-of-service attack (DDoS) similar to what it endured yesterday, which made its service unavailable for a period of time. The attacker then demanded 1.8 bitcoin as ransom to prevent another assault.
Mad Mimi declined to pay the sum, and so, at some time around 6 p.m. PDT, the bad kids should be back on the block. The company published a short blog post concerning the situation, including screen shots of an email from a person claiming to be the perpetrator.
I spoke to Mad Mimi’s co-founder and also its chief of culture about the first attack, their ensuing defensive measures, and how they viewed the very small dollar demand.
1.8 bitcoin is worth less than $1,000, making it a very odd request, especially following an attack that Mad Mimi called “sophisticated,” involving millions of requests from around the world. The company decided that if it paid the sum, there was nothing to stop the request from being repeated. Prove that you will pay up, and you are inviting the bad actor to redouble their assault — the next time with a larger fee. In the view of Mad Mimi’s executives, if they paid the sum, even if it ended their troubles, it would help set bad precedent: This Works So Go Forth And Do More Harm.
So the small sum may have been employed to merely suss out whether the firm was willing to cough up big cash later.
The demand of bitcoin is itself interesting, given that the cryptocurrency does afford users some anonymity. Perhaps we’ll see more nefarious types demanding bitcoin, which is exchangeable for dollars, given that advantage.
Ironically, or sadly if you want, over the past day since the assault, Mad Mimi has spent far more than the value of 1.8 bitcoin to up its defenses, working with several security consultants, CloudFlare and others to make it far harder in the future to attack it in the same way. Those new ramparts may be tested shortly. Mad Mimi estimated that it has spent around $12,000, if not slightly more, to up its defense game.
Mad Mimi, which sells email tools to small businesses, is not the first company in recent time to be attacked, and then extorted, in this manner. Meetup and Bitly have suffered similar assaults. Meetup’s attacker wanted $300. Again, that was likely only the first request of a string of demands.
I asked the company if it intended on releasing a guide after the dust settles to help others protect themselves. They do.