How a Hacker Wiped our Business off Facebook

’Twas Charles Caleb Colton who said, “Imitation is the sincerest form of flattery”. Can’t argue with that…especially if your name is Elton John or Michael Jackson. In our industry, the only time you’ll come across the circumstance denoted below is either when a competitor feels so vulnerably threatened by you that he’s ready to set the low bar to record-breaking lows, or if the mastermind behind it is just pure evil. Either way, it may not be imitation, but we’re still flattered to have been targeted by a hacker with such perseverance to obliterate AppDrag.

On January 20th, 2019, a hacker initiated, over the course of two hours, 2 000 000 attack attempts on AppDrag using IP addresses, VPNs, and proxies originating from Canada, the USA, and the Dominican Republic. These attacks included SQL injections, DDoS attacks, and testing common vulnerabilities found on WordPress, Drupal, Joomla, as well as other well known CMS. Not a single one of them even made a dent to our surface.

“DDoS, SQL injections, common vulnerabilities, the hacker tried everything!”

Flustered with deception and fueled by sheer grit and determination, the hacker hacked away at us using a brilliant and unheard of sabotage method we’re calling social brand destruction. This began with a script injection into the platform, creating fake accounts and projects. Oh, and did it succeed. He managed to create 200 bogus accounts that each created and published one project, pushing, in bare minutes, an additional 200 websites to the world wide web. What kind of websites did he allow himself to produce? You guessed it, the kind filled with repulsive content in sexual, vulgar, and racist nature. Since these were all free accounts, the websites’ URLs contained the appdrag.com subdomain name, therefore associating the content of these sites to our brand. A pristine brand we invested years in building, growing, and maintaining.

“We were desperate when we realised our domain could be blocked forever on Facebook, without any chance of retrieval.”

But because tarnishing our name along with adding more pollution to an already-polluted internet wasn’t enough for him, he went ahead and posted all of those sites on Facebook, the world’s largest social media platform, where 1.5 billion active users log on every day. The latter thought, of course, that AppDrag was a cesspool of filth, consequentially and logically barring the URL from their platform. This ban meant that all posts, comments, likes, and private conversations containing appdrag.com, since the inception of our company, was eradicated. Furthermore, any new post or comment containing the URL instantly vanished. Facebook basically wiped AppDrag’s history clean off its records. I mean, with such websites, who wouldn’t, right?

We approached Facebook, detailed to them the chain of events, and advised them about the security reinforcement measures put in place, for example, the email validation of all new users, the 2FA (2-Factor Authentication) forced upon each login, and the blacklisting of over 550 temporary email service providers. We reassured them that all is safe and that the 200 new users have been deleted and banned, resulting, ergo, in all their projects being removed along with them. Facebook heeded our call and, upon verifying and landing on our 404 page when visiting said websites, lifted the ban and returned our dignity back.

Kudos to them for having handled the matter in under 24 hours!

“These new kind of attacks are so damaging and places any blooming business in immediate danger.”

Now, although these next quotes’ origins are uncertain, they so appropriately describe our situation that they just can’t be ignored. As such, we shan’t cry over spilled milk, and since all of our Facebook efforts are all but water under the bridge, let’s grab this bull by the horns and climb the ranks. At the end of this tempestuous day, this roller-coaster ride shed upon us some light on a new perspective to security that we instantly implemented. So, silver linings, I guess.

Honestly, this hacker’s incredible willpower and originality must be recognized, as his plan was pretty darn clever. And as so beautifully sung by the marvelous Kelly Clarkson, though attributed to Friedlich Nietzsche, what doesn’t kill you makes you stronger.