Meetup.com fights off hackers, refuses to pay $300 ransom
TORONTO (Reuters) - Social networking website Meetup.com is fighting a sustained battle against cyber-criminals who are demanding $300 to call off an attack that has kept the site offline for much of the past four days.
The site, which enables strangers to meet for shared-interest activities ranging from parents' groups to software development, was back online but still under attack late on Monday afternoon, Meetup CEO Scott Heiferman told Reuters.
Meetup has refused to pay the small ransom as it believes doing so would make the perpetrators of the attacks demand more money.
"It's a cat and mouse game," Heiferman said, adding he was not yet sure how long it would take to keep the site reliably online.
A Meetup blog had earlier said the company was a victim of a distributed denial of service (DDoS) campaign, a type of attack that knocks websites offline by overwhelming them with incoming traffic. It said that no personal data, including credit card information, had been accessed.
Heiferman said he was open to the possibility of some financial relief for members who pay between $12 and $17 a month to organize Meetup groups in their geographic and thematic areas of interest. He said his first priority was to resume the service of creating communities wholly via an Internet connection.
"we're going to come out of this much stronger. And I don't mean that as just a trite euphemism, I mean it literally. Like, we are going to be much more secure," he said.
The Federal Bureau of Investigation has been investigating the attack since late last week when the assumed criminal group first offered to withhold it if Meetup paid $300.
The attack was the first in the site's 12-year history, and Heiferman defended the move not to pay the paltry ransom.
"We made a decision not to negotiate with criminals," he said in the post. "Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spread in the criminal world."
Meetup has almost 17 million members and, when online, was signing up between 15,000 and 20,000 people every day.
The site represents a soft target for online criminals, who often attempt to extort companies in return for calling off DDoS attacks, said Kevin Johnson, chief executive of cybersecurity consultancy Secure Ideas.
"It's very common for this sort of attack to start off with a small demand," Johnson said. "It's not like Meetup can write a check for a million dollars."
Heiferman's blog post said the site should be able to protect itself over time, even though it has struggled to stay online since the attacks began on Thursday morning. He said Meetup spent millions of dollars a year to secure its systems.
The Meetup site and related mobile apps have been intermittently unavailable since Thursday.
The privately-held, New York-based site counts Twitter co-founder Ev Williams and Fred Wilson's Union Square Ventures among its investors and has raised more than $18 million in external funds.
(Reporting by Alastair Sharp; editing by Andrew Hay)