Exclusive: Inside FXStreet's DDoS Attack

Is there a more distressing moment for content website executives than realizing they are under attack from a Distributed Denial of Service (DDoS) onslaught? Screens abruptly turn blank, analytics experience unnatural spikes, and the leadership is thrust into crisis management mode. Last month, one of the most well-known FX market websites, FXStreet, found itself caught in this very predicament.

The team was generous and open enough to share their story, shedding light on the decision-making process in such a sensitive situation and offering valuable tips to our readers.

The cyberattack on FXStreet on May 4 came at one of the worst possible moments, with the team gearing up to cover a top event for the month: the European Central Bank monetary policy decision. Although the DDoS attack wasn't a stranger to its IT team, attackers initially managed to bring the website down almost entirely.

But what is a DDoS attack? And why are financial services firms often become the target of such attacks?

Sensitive Case: DDoS in the Financial Space

DDoS attacks seek to interrupt the regular functioning of a website, web application, or web service through the utilization of unwanted traffic that often originates from a botnet consisting of numerous infected computers and devices.

These attacks have the potential to cripple entire infrastructures, with the objective of rendering the target's service inaccessible, resulting in significant harm to an organization. This harm can manifest in various ways, such as tarnishing its reputation, reducing revenue, and losing customers.

Financial services firms, including retail brokers and more recently crypto exchanges, are something of a hot target. Dealing with funds and investments in real-time, where outages can be especially damaging for clients, makes them especially attractive.

Brokers, or for that matter their service providers, compete in a saturated market where every reputational damage can have a long-lasting effect. This too may cause them to be all the more susceptible to succumbing to cybercrime threats.

In our years of coverage, we have also seen hackers act out of sheer revenge, turning out to be disgruntled or plainly defrauded past clients.

DDoS Attack on FXStreet

Back to the FXStreet headquarters in Barcelona: on May 4th, as analysts and other teams were getting ready for the start of the European session, FXStreet’s servers saw a surge of incoming requests equivalent to 120 times the normal traffic.

The site’s error rate increased sharply, meaning that much of the content of the website was suddenly unavailable for the audience, mainly traders who rely on FXStreet for their investment decisions.

The attack came along with a direct message on Twitter: "We’ve identified your site’s vulnerability (...) I can keep your site closed for months off." The anonymous sender asked for $5,000 to be paid to its Tether wallet to immediately to cease the attack.

Initial Response

"Paying the ransom was never an option," said Alain López, the Chief Technology Officer at FXStreet. It wasn’t the first time that López and his team had faced such a situation. The IT team quickly activated the mitigation plan against the attack, which is based on gradually increasing server instances to alleviate the strain on the system. After suffering the worst of the attack at around 08:15 am CET, FXStreet’s site started to partially recover from it.

But, the attack was far from over. A second surge of incoming requests came afterward and would have disrupted the site again had it not been for the team’s swift response. The plan bore fruit, and the impact on the site was minimal. "There were some minutes when absolutely nothing was working, but mitigation measures were fast and effective," López said.

However, these measures had to be bold at the beginning to ensure the attack was repelled as soon as possible. FXStreet blocked all incoming traffic from Russia, South Korea, China, and Brazil, among other countries, as they were identified as the primary origin of the cyberattack. This action was only a short-term solution as it came with a huge cost: leaving the FXStreet community from these countries unable to access the site. Some minutes later, the IT team was able to fine-tune its strategy by just blocking specific IP addresses, ending with the more-disruptive country block.

"The team was able to quickly identify the source of the attack and implement targeted measures against it," López said. "Everyone acted in a swift and coordinated manner, which was key to [restoring] the site quickly."

At around 09:00 am CET, the attack was considered mitigated. It carried on for a few more hours, but the site continued to function seamlessly and the coverage of the European Central Bank’s decision went smoothly.

Lessons Learned

"The key to successfully navigating a DDoS attack is to have updated cybersecurity systems such as Cloudflare, as they are able to provide crucial information in order to thwart the attack," López said. "The response has to be consistent with the level of the threat, and transparency is critical with the organization and its stakeholders."

During the most critical moments of the attack, the option of paying the ransom is likely to be considered. Accepting the demands of cybercriminals could solve the crisis in a matter of minutes, but is dangerous because it can lead to further attacks once the information spreads. No one wants to be on the list of easy targets for hackers.

The incident served as a wake-up call for everyone in the organization to realize that the threat of cyberattacks is constant. "It was a fresh reminder of the need to be on guard. No one is 100% safe from cybercriminals," López said.