What Other Major Websites Can Learn from Moonfruit’s DDoS Attack

Philip Bates 17-12-2015

Moonfruit is just the latest in a long list of online giants hit by hackers determined to gain leverage and blackmail the website builder The Best Website Builders to Create a Clean Online Portfolio Which free website builder is best for your portfolio? Here are the best website builders you can pick from! Read More .


The hackers threatened to take away the main propose of Moonfruit: a Distributed Denial of Service (DDoS) What Is a DDoS Attack? [MakeUseOf Explains] The term DDoS whistles past whenever cyber-activism rears up its head en-masse. These kind of attacks make international headlines because of multiple reasons. The issues that jumpstart those DDoS attacks are often controversial or highly... Read More attack that would take its customers’ Internet pages offline.

Some Moonfruit users complained about how the company reacted to the threat – but we were actually impressed. In fact, other sites could learn a lot from how they handled the situation.

What Happened?

On Thursday 10th December, sites powered by Moonfruit briefly went down. The following day, they issued a statement to customers revealing that the company had experienced a DDoS attack, a 45-minute teaser of what was to come if ransom demands weren’t met.


The hackers responsible call themselves the Armada Collective, an organisation that the Swiss Government actually warned its citizens about only last month. Their demand was a large sum of money, transferred by Bitcoin. The group points out:

“Bitcoin is anonymous, nobody will ever know you cooperated.”

If the initial ransom wasn’t paid, a further DDoS attack, flooding their servers with connection requests in order to bring down a wealth of sites, would occur on Monday 14th December, presumably with the demands increasing each day, just as previous blackmail messages have stated.

Moonfruit’s statement, however, rebutted:

“Having investigated the group it is very clear that even if we were to pay them (something we would never consider) the attacks would not cease. In fact, whenever anyone has given in and paid them, the attacks get worse and the demands increase.”

The Armada Collective naturally won’t give up that easily, and indeed, Moonfruit sites have been acting slowly with investigations ongoing, but how the website-building company dealt with the threat was admirable.


What Did Moonfruit Do?


They took down all sites for 12 hours, and alerted their users.

We can only presume the message sent by the Collective was similar to their past threats, so Moonfruit’s drawing attention to the blackmailers flies in the face of this:

“If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.”

That’s not unusual, though: many past victims, mostly email hosting sites like Runbox, Hushmail, and ProtonMail, announced the attack.


Nonetheless, Moonfruit emailed their users as soon as possible – despite claims that they were slow to communicate the problem. Acknowledging the problem publically is only half the battle. What they actually did to combat the attack is important.

Taking down all sites hosted by Moonfruit for half a day was a drastic move, but we should balk at the suggestion that they temporarily defeated themselves. It was the smartest move that could be made.

During that time, Moonfruit carried out “significant infrastructure changes,” asking its paying customers to make configuration alterations. It’s in the best interests of users that they didn’t simply cave in to the extortionists. Ron Symons, regional director at DDoS mitigation company, A10 Networks, explained:

“More worryingly, DDoS attacks frequently act as smokescreens hiding more invasive attacks as hackers exploit unguarded system backdoors to steal sensitive data.”

This could include Personally Identifiable Information (PII) and payment details, both of which can fetch a fair price on the Dark Web Here's How Much Your Identity Could Be Worth on the Dark Web It's uncomfortable to think of yourself as a commodity, but all of your personal details, from name and address to bank account details, are worth something to online criminals. How much are you worth? Read More . It’s a sentiment echoed in the most recent update from Moonfruit.


Admittedly, with Christmas just around the corner, this is a terrible time for any downtime and customers certainly have a right to be disgruntled, but that’s exactly why the Armada Collective has targeted Moonfruit right now. As they point out, they can only control how they responded, not the timing.

What We Can Learn From This


First and most importantly, no site should give in to ransom demands. Moonfruit is right when asserting that paying up would simply mean an increase in attacks.

Most companies publically revealed as subject to DDoS attacks have similar claims: office-suite business, Zoho, and email clients like Neomailbox and VFEmail all refuse to pay up. But earlier this year, ProtonMail admitted to paying in the region of $6000 after being blackmailed by the Collective, gloomily announcing:

“[W]e were placed under a lot of pressure by third parties to just pay the ransom, which we grudgingly agreed to do at 3:30PM Geneva time…We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless.”

In fact, they not just persisted over the next few hours, but in the following days too, leading the company to add:

“This was a collective decision taken by all impacted companies, and while we disagree with it, we nevertheless respected it taking into the consideration the hundreds of thousands of Swiss Francs in damages suffered by other companies caught up in the attack against us… This was clearly a wrong decision so let us be clear to all future attackers – ProtonMail will NEVER pay another ransom.”

Moonfruit, too, was open with their customers, something many companies refuse to do, supposedly fearing damage to their reputations. Indeed, sometimes their silence is a good thing Why Companies Keeping Breaches a Secret Could be a Good Thing With so much information online, we all worry about potential security breaches. But these breaches could be kept secret in the USA in order to protect you. It sounds crazy, so what's going on? Read More , but Moonfruit actually helped their reputation.

Users appreciate honesty, certainly when downtime was self-imposed to protect intimate data. And that’s the key: putting your customers first. In the email sent out to users on 16th December, Moonfruit reassures:

“Huge DDoS attacks, such as the one we were subjected to, often mask more dangerous forms of attack that could put you at greater risk. The consequences of trying to ride out these attacks, without taking the type of decisive actions we have, can be incredibly serious, sometimes resulting in weeks of downtime. We truly believe the decisions we’ve made over the past few days have been in your best interest.”

Taking the initiative and doing exactly what the extortionists would do seems counter-intuitive, but if it means they can fully investigate and prevent a potential upcoming attack, this can only be a good thing. Moonfruit won’t be going through an easy time, but can rest assured they’re doing the right thing.

What Next?

Of course, Moonfruit isn’t perfect. As Alexandra Yount notes:

“[T]his is somewhat poor planning. DDoS protection is often bought in the middle of a crisis instead of during a time that infrastructure changes are less critical to clientele. Had this been taken care of prior to now, it could have just been a matter of asking their provider to increase their protection…”

It’s important not to blame Moonfruit, however. It’s not their fault; it’s the Armada Collective’s, whoever they may be. We don’t know if this is one group or numerous hijacking the already-bad reputation of the hackers What Is The Difference Between A Good Hacker & A Bad Hacker? [Opinion] Every now and then, we hear something in the news about hackers taking down sites, exploit a multitude of programs, or threatening to wiggle their way into high-security areas where they shouldn't belong. But, if... Read More to make a quick buck.

As of 16th December, progress is slow and normal service has not entirely been resumed. In most cases, sites should load, but users can’t edit them at all.

Were you affected by the downtime? Will you use Moonfruit, knowing they stood up to a DDoS attack or are you considering elsewhere? What other lessons can be learnt?

Image Credits: Hacker Rene by Ivan David Gomez Arce.

Related topics: DDoS, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Jose
    December 18, 2015 at 6:31 am

    This statement made me mad:
    It’s important not to blame Moonfruit, however. It’s not their fault; it’s the Armada Collective’s, whoever they may be. We don’t know if this is one group or numerous hijacking the already-bad reputation of the hackers to make a quick buck.

    There will always be bad actors and people who will try to steal your data or take you down. There are more than capable anti-DDoS solutions, particularly in the cloud with the appropriate specialists that can EASILY block such attacks. It is every company's responsibility to ensure customer's data is safe and accessible, why should DDoS be an exemption??

  2. Anonymous
    December 17, 2015 at 4:30 pm

    "...the main propose of Moonfruit:"

    You asked Moonfruit to marry you? LOL. **purpose**