Tom Benattar
July 30, 2018

The PixelMe backstory: how “phishing” almost killed our company 😱

Back in December 2017, PixelMe had been on the market for two months. Remember that we shared a bit about our journey on how we created PixelMe, had a successful Appsumo promotion, and grew to 200 monthly paying customers.

It was late at night for us in Europe, and we had just received this message on our live chat service that was saying our app was down!

After some quick and rough investigations, we discovered all our servers had been shut down by our service provider itself. 😱 😓 Some of our users were using PixelMe for a phishing attack

Wait a sec… Phishing? What the hell is that?

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising an attack as a trustworthy entity in electronic communications (Wikipedia).

Okay, but what does this have to do with PixelMe?

Usually, people who are making these types of fraudulent attempts try to hide their fraudulent links behind a shortened URL. That’s the reason why they started to use PixelMe.

Here is a sample of a “supernatural” conversion we had with one of them:

The beginning of the problems

Our first biggest problem was to reboot our servers. Our application was down but so was our links’ server. At the time, we had more than 2,000 users who were creating shortened URLs every day. So, having your app down is one problem, having thousands of links down is another big one! 😬

After several attempts to contact our server provider, our servers were up and running again.

As an answer, they just emailed us this following message:

At the time, we were using a local, French server host and were hosting both the app and the link server on the same server. This is not the case anymore; we changed this to ensure that we can offer 99% SLA (i.e., akin to Bitly to all our customers).

Okay, so we had 48 hours to find and delete all fraudulent links that were somewhere on our server that were reported by a bank to our host. We spent a few hours investigating and found all the links. We blocked the users and reported them.

A few days later, the problems escalated when all our links were blocked on Twitter!

A lot of our users were using PixelMe to share links on Twitter! If we couldn’t unblock our links on Twitter… we were finished… 😱

We tried to reach out to Twitter, but we never received an answer! I guess we were too small for Twitter to pay attention to us. 😞

Fortunately, Max found out that Twitter is using an external service to handle this type of problem. It’s called Spamhaus!

Spamhaus is an international nonprofit organization that tracks spam and related cyber threats such as phishing, malware, and botnets.

Two hours after we had completed the form on Spamhaus, our links were up and running on Twitter. 💪

However, it was the same on McAfee, Norton, etc… Email providers were blocking our links, so we had to contact all these platforms to unblock our links.

At this time the problems were not entirely solved, because some people were still using PixelMe to create phishing attack! So we would have to find a way to closely detect those people, delete all fraudulent links, block them from accessing our service and report them to the antiphishing organism!

This is when we started to receive some email from private services that were asking us to delete some fraudulent link before being blocked:

Every time we were receiving such emails, we were deleting all the reported links and were redirecting the traffic to a phishing page to inform the visitors that someone was trying to abuse them.

But we kept receiving, again and again, emails and reports for new links that were insane! 😳

We were blocked two more times on Twitter, on emails, by antivirus software, etc. It was a real nightmare, and I was spending all my time deleting links, monitoring our links, and contacting different providers.

But, that was not the only problem! Guess what?

The cherries on the cake, some of these “phishers” were so happy with our service that they were paying for it … but with stolen credit cards, of course! 😬

Thus, we had to start proactively refunding those credit card and reporting the fraudulent payments to Stripe…

We had to find another way to solve those issues…

Prevent rather than cure

After a couple of brainstorming sessions, we decided to take action by automatically detecting all phishing URLs before shortening the link.

Jérémie connected PixelMe to several different services that report fraudulent URLs. That means that now, all these URLs are automatically blocked on PixelMe, and every time someone tries to shorten such a link, that user is automatically blocked and all those links are shut down without further notice.

At the same time, we also created a list of keywords and are able to detect suspect domains. We plugged this with a Slack channel and receive a notification every time a new link is shortened with one of these keywords in it.

We created a landing page so that people can report a phishing link. We also created a specific page when we block a link so that users are aware of the phishing tentative.

And finally, Jérémie added some features to our back office, so now we can block links and delete an account in one click! 🔥

After a tough month of December, and by putting all these things in place, we have started to see a big decrease in reports and phishing links. So much so that in the last two months, we haven’t received any emails or heard about any reported phishing PixelMe links. We’re aware that this is totally part of being a URL shortener.

We know is facing the same problems. Creating a URL shortener might not be a big technical challenge, but scaling it to thousands of users, having millions of clicks, and making sure all these links are 99.99% up and running is another challenge. 😊

We are happy to continue building PixelMe to help advertisers reduce their acquisition costs!