On January 20th, 2019, over the course of two hours a hacker initiated 2 million attack attempts on AppDrag using VPNs and proxies originating from Canada, the USA, and the Dominican Republic. The attacks included SQL injections, DDoS attacks and testing common vulnerabilities found on WordPress, Drupal, Joomla and other CMS.

“DDoS, SQL injections, common vulnerabilities, the hacker tried everything!”

With its industry-leading security profile, it came as no surprise to us that none of the attempts were successful. Not a single one of them even made a dent in our surface. Completely defeated but still determined to create vindictive damage, the hacker turned to a whole new tactic: social brand destruction. If they couldn’t damage our impenetrable private infrastructure, they would try something radical: to destroy our public image and, in the process, get us wiped of Facebook!

“Destroy our public image…get us wiped off Facebook!”

The attacker used AppDrag legitimately to publish 200 offensive websites. As the URLs contained the appdrag.com subdomain name, the offensive content of these sites was associated with our brand. A pristine brand we invested years in building, growing and maintaining. And this is where the hacker’s tactic was deviously clever…they then posted all the offensive sites on Facebook causing Facebook to immediately ban the URL. Instantaneously, all posts, comments, likes and private conversations containing appdrag.com were eradicated from Facebook. Any new post or comment containing the URL instantly vanished. We were essentially wiped off Facebook!

“A matter for the authorities”

Why would someone do this? A discontented former employee? No, there aren’t any! A competitor feeling threatened because AppDrag has been raising the bar so significantly? No, not that either. The finger of suspicion points to something completely different…but that’s a matter for the authorities, sadly not for this blog.

“Facebook’s reaction was superb”

We approached Facebook and detailed the chain of events to them. We explained our advanced security infrastructure to Facebook, including a number of new measures we have introduced to prevent this type of attack in the future. We blacklisted over 550 temporary email service providers. We deleted the websites created by the hacker and banned their user profile (not that we expect they’ll be trying to reuse it!). Another important security measure we have added, now all apps created on appdrag have a temporary url on .appdrag.site instead of .appdrag.com, this completely prevent the same kind of attack in the future. Facebook’s reaction was superb. Instead of a painstaking multi-week rehabilitation process, they restored AppDrag to Facebook in under 24 hours. Serious kudos.

“Lesson learnt”

We’ve a begrudging admiration for the hacker’s cleverness and the novelty of their approach. But what doesn’t kill you makes you stronger. If there was one chink in our armour, it was the fact that the legitimate use of AppDrag to publish great websites was too easy. Make no mistake, it’s still easy, really easy, but just not in a way that would allow a repeat attack. Lesson learnt.