DDoS Attacks on FX Brokers Spike; Cyprus heavily targeted

A recent article shared by Cloudflare’ DDoS attack trends for 2022 Q2′ revealed that attacks on Cypriot targets increased by 167% quarter to quarter and at the same time, it revealed as an even more interesting statistic, Cyprus is the #2 most attacked country in the world during the same period. To some, the above stats seem shocking or even worrying, but there is an explanation for it.

Let’s start with a fact worth mentioning, DDoS attacks (Distributed Denial of Service) are not something new to Cyprus, there were such attacks around since I can remember my first steps in the industry 15 years ago (and certainly even before that). At the same time, such attacks are continuously on the rise, appear more frequently, and have longer durations, probably due to the country being a key part of the financial industry, particularly the Forex industry being a magnet of various Cyber-attacks.

DDoS has the aim of disrupting the normal operation of a website, web application, or web service by using unwanted traffic typically originating from a botnet (thousands of infected computers and other devices). It can bring down complete infrastructures and an attack always has the aim of causing the target’s service disrupted by making it unavailable causing extensive harm to an organization like reputation damage, loss of revenue, and loss of customers.

Forex Brokers are one of the most attractive targets of attackers. Not only because their business depends almost solely on the availability of their customer portals, but because their end customers are very demanding and sensitive when it comes to the availability of those portals, and do not tolerate disruptive events so well. Furthermore, Forex Brokers are known to be wealthy organizations, making perfect sense for an attacker to focus on them.

At the same time, Forex Brokers operate usually across multiple markets, with clients from different parts of the world. Such brokers having a wider international reach out are facing an increased attack surface as well. The wider their reach, the broader their brand awareness reaches, and the more attention they attract.

A third reason why Forex Brokers are typically more vulnerable to DDoS attacks (and generally to Cyberattacks) than other financial institutions is their rapid growth and short go-to-market speed a combination that most of the time leaves gaps in their overall Cybersecurity strategy, something that requires a lot of time to mature and develop.

Recently, DDoS attacks started appearing with an accompanying email asking for cryptos in exchange for stopping the attack (DDoS extortion attacks), making DDoS attacks a new way for criminal networks to make money and hide behind untraceable paths of crypto, giving DDoS overall a new dynamic. For those people doing it, it has become a business with good returns and no longer just an achievement for fame.

Now back to Cyprus and DDoS. The country is an island with much less bandwidth available (internet connectivity) compared to mainland countries. Less bandwidth availability means it is easier to fill up that sea cable arriving in the country with malicious traffic making a DDoS strategy a huge challenge not only to the companies being attacked, but the whole backbone of the internet service providers of the country. As a matter of fact, a DDoS attack on a company located in Cyprus can bring down a whole ISP network because that cable fills up 100%, causing anyone behind it to suffer.

This is one of the reasons companies rely on true 100% uptime of their services moving some of their critical services to data centers located in the EU mainland. But, what about the services that need to be located within the country? What about company offices relying on the internet? What about Government services and critical infrastructure providers? They all remain vulnerable.

The patterns are not deviating throughout 2022, and it seems there is a new wave of attacks that started in Q1 2023. Specifically, we notice DDoS attacks targeting our customers increasing in numbers in the last couple of weeks and shorter in duration at the same time, without any accompanied emails asking for funds to stop, which makes us believe we are looking probably at a preflight check of attackers trying to find vulnerable targets before launching a full-scale attack.

How can anyone get prepared and protected? DDoS attacks can only be prevented by DDoS protection solutions in combination with DDoS protection providers, and most of the solutions are ineffective mainly for two reasons:

1. Attack traffic reaches the destination before it gets detected. Most of the DDoS protection solutions use local equipment that analyzes traffic and uses various heuristics to determine when an attack starts. If the solution doesn’t detect the attack in time, it might be too late and can still bring the target infrastructure down. An effective DDoS protection strategy would need the attack to get stopped before entering the target infrastructure.
2. DDoS protection solutions many times do not work. There are companies paying tens of thousands of euros per month, yet when they get attacked, they go down. We see this happening with on-demand solutions (which means the protection standby waiting to kick in – not ON) due to BGP convergence times or simply because ISPs not honoring the AS path policy. In non-techy words, such solutions rely on third parties and assume that all third parties are ‘compliant’.

DDoS protection is expensive, especially if someone needs to protect infrastructure. The biggest headache is shifted to the ISPs since an attack on any of their customers immediately means stability problems to their whole backbone network. As mitigation, some ISPs implemented traffic steering techniques (route traffic through other locations) to force traffic to come through mainland scrabbing centers (DDoS protection providers) and some simply blackhole target IP addresses, which in simple words means “let’s put the target business temporarily offline to avoid the risk of the whole ISP network go down with it.”

At Matworks, we have carefully considered the various options for DDoS attack protection and have determined that the modern approach of blocking attacks at the source is the most effective solution for countries like Cyprus with limited connectivity. That’s why we have strategically partnered with Cloudflare, utilizing their Magic Transit technology to protect infrastructures, combined with their L7 DDoS and WAF protection. This comprehensive solution is both efficient and reliable, providing companies with the peace of mind they need to focus on their business operations.

We understand that budget constraints can be a challenge for many companies seeking effective DDoS protection. That’s why we have developed a flexible model that can accommodate businesses of any size. Whether you’re a small startup or a large corporation, we can tailor a solution to meet your specific needs. Simply reach out to us for more details and we’ll be happy to assist you.