(Publisher’s note: We’re posting about the brute force attack attack against Dispatches as a cautionary tale for other expats working in the digital space. If you have a WordPress blog or news and entertainment website, be sure to update your plug-ins and consider upgrading to a security service with a firewall.)
On 19 March, we had a brute force attack like we’ve never experienced, with hackers trying to take control of Dispatches Europe, or to use us as a host for malicious code and incorporate our platform into a malware network. The attackers hit the system more than 37,000 times in just a few hours. We get targeted every day by Russian trolls. We’re used to that and we have the cybersecurity software in place to stop attacks. When our IT person in the United States alerted us, she told us, to our shock, that the attack originated from NFOrce, an Internet Service Provider only a few miles from our headquarters in Eindhoven, Netherlands.
The report from our tech:
The main attacker for this at 6:30 PM EST was from the Netherlands and hit the system over 25k times. I’m attaching the (redacted) report. Here are the attacker’s IP details
IP: 2a00:1768:2001:7a::b
Abuse contact for ‘2a00:1768:2001::/48’ is ‘[email protected]‘
inet6num: 2a00:1768:2001::/48
netname: NFORCE
descr: DBC /64 customers
country: NL
person: NFOrce Internet Services – Technical role account
address: Postbus 1142
address: 4700BC Roosendaal
address: The Netherlands
phone: +31 (0)206919299
descr: NFOrce Entertainment BV – 2a00:1768:2000::/36 route
descr: Databarn Capelle
This is the attacker’s ISP: https://www.nforce.com/
So, we contacted NFOrce immediately to a) stop the attacks and b) get back the money this attack was costing us with a very expensive IP consultant working through the night in the U.S. to stop it.
We got this back from W. Sipkes, an NFOrce support engineer:
NFOrce does not operate any servers themselves, we are merely a telecom provider for this IP address. The operator of the service you have a complaint about is solely responsible for the service and its content. Initially you have to resolve this matter directly with the operator of the service.
Of course, identifying ransomware pirates trying to insert malware into our code, then negotiating with them as they try to hold our content management system hostage until we pay, is problematic … made more problematic by the lax laws here. Then we had an email exchange with NFOrce COO Dave Bakvis, who told us to report our attack.
No kidding.
We tried sending an email to NFOrce’s abuse address, but it came back with a message they aren’t accepting abuse reports via email anymore. We called, but ended up on hold. Then we tried to put in the URL doc.hk, which was one of the URLs attacking our website. NFOrce’s automated reply stated it wasn’t hosted on their network even though it clearly was. When it asks for the IP address to check, the reply stated the IP address is not on their network.
These hackers are not stupid, and nailing them down is like trying to trap mercury.
This is happening to big companies, to small ones such as ours and even to big institutions. Last December, University of Maastricht administrators paid 200,000 euros to extortionists to regain control of the school’s information networks.
For an advanced, high-functioning society, the Netherlands is an enigma. While the country is ranked at the top of every freedom index, a libertarian approach to the Internet creates some dark corners of society where digital criminals are allowed to operate with impunity.
I stress “are allowed to operate.”
When we started researching NFOrce in Roosendaal, Netherlands, we found multiple media reports and a study by Technical University of Delft indicating the company has been in trouble repeatedly, hosting a huge percentage of the world’s child porn websites.
In fact, the Netherlands overall hosted 71 percent of the child sexual abuse content in 2019, according to Internet Watch Foundation, the Cambridge, United Kingdom-based foundation that tracks child sexual abuse. This was a 51-percent increase from 2018 when the Netherlands hosted 47 percent of all child porn.
Enter one Minister Ferdinand Grappenhaus, ministry of justice and security. Grappenhaus has lead a fairly low-key effort to require ISPs to stop hosting child porn. He recently proposed a bill to force them to take down such images.
From the official government post, “ICT companies should do more (emphasis ours) to remove child sexual abuse from the Internet”:
NForce: Delft University of Technology’s report shows that the hosting company NForce hosts an extreme amount of child sexual abuse images: from January to August 2020, the company received no fewer than 179,610 notifications from the EOKM’s Internet Hotline against Child Pornography about URLs containing such material. This puts NForce at the top of the ranking for hosting child sexual abuse images.
If you think ISPs hosting criminal activity have been shut down, you’d be wrong. Instead, the Dutch house of representatives has a policy of “naming and shaming.” In June 2020, the minister wrote a letter to 17 hosting companies, giving them a deadline to delete the porn: September 2020. So, the official approach is, “Dear Internet Service Provider. We ask you kindly to take down those photos of pedophiles exploiting 8-year-olds.”
That should work. Oh wait … it didn’t. NFOrce basically did nothing. Another ISP, IPVolume, took active steps to block the government effort, according to the government’s own website.
Now, I’m not conflating child porn with brute force attacks, but the rest of of the civilized world agrees they both should be illegal … and it’s not a coincidence that the same Netherlands-based ISPs hosting child porn also host ransomware. We had a simple question for Grappenhaus’s media-relations people: “Why are these companies still in business here and not operating out of some rogue state?”
Here’s our email:
As I’m writing this email, our website – Dispatches Europe – is under a brute force attack from hackers hosted by a Netherlands-based internet service provider, NFOrce, based in Roosendaal. This is the second such attack in 48 hours. It’s no coincidence that NFOrce and Minister Grappenhaus have been in the news for years regarding NFOrce hosting massive amounts of child pornography.
In our case, NFOrce makes it possible for ransomware companies to target legitimate media companies such as ours. This is costing our expat-oriented communications company significant amounts of money and advertising revenue as our IT personnel in the United States race to install new software to fend off 37,000 attacks on Saturday and 14,000 attempts so far today as of 12:30.
My question to the minister is, why are companies such as NFOrce allowed to operate with impunity in the Netherlands? I do intend to quote him in a post about this. Thanks, Terry Boyd, co-CEO, Dispatches Media, Eindhoven, Netherlands
The answer is in a detailed 2019 New York Times investigative piece on the global child-porn matrix that describes the Netherlands as “a small country with a robust web business and laws that are routinely exploited by bad actors” … a country where authorities simply don’t have the resources to deal with digital criminals. And not a whole lot of will.
The NYTimes reporters also interviewed our friend Dave Bakvis, who told them the “company’s hands were tied by Dutch laws, which prevent it from monitoring customer servers without a court order.” He said NFOrce acts immediately when it received requests from the authorities.
We made repeated calls to Miral Scheffer and others on Minister Grappenhaus’s media relations team, but never got a response.
Co-CEO of Dispatches Europe. A former military reporter, I'm a serial expat who has lived in France, Turkey, Germany and the Netherlands.