Avaaz Faces Questions Over DDoS Begging Bowl

Avaaz says it was hit by a two-day DDoS lasting almost two days, but questions have been raised about why it needs more money

Human rights campaigning group Avaaz has told TechWeekEurope the “massive” cyber attack on its website amounted to a 44-hour distributed denial of service (DDoS) strike, initiated by a “globally-distributed botnet of thousands of machines.”

But the company is facing some questions over why it has launched a campaign for more funding in the wake of the attack.

Avaaz said it has informed the FBI about the “large and substantive” DDoS attack, which it said ended on 3 May. According to the body, it has been working with experts to determine the extent of the hit.

Government or corporation blamed

On Wednesday, the company put out a notice alongside a plea for donations to help protect its infrastructure, claiming its experts had indicated a government or a big corporation was most likely behind the strike. Yet the company said it had no more information about who was responsible.

It appears that despite the attack, Avaaz’s website has held up well. “The site was down for 10 minutes on Wednesday 2nd May, and another 4 minutes early Wednesday morning and our ability to send out global campaigns to our membership was effected [sic] during the attack,” a spokesperson told TechWeekEurope.

Avaaz has been campaigning over a number of high-profile issues since its inception in 2006, launching a petition calling on companies such as Facebook and Microsoft to ditch support for the US Cyber Intelligence Sharing and Protection Act (CISPA), while it has also been pushing to “stop Rupert Murdoch”.

Questions asked…

Questions have been raised about Avaaz’s motives in asking for additional funds to take its security “to the next level”.

“I love Avaaz. But saying ‘we’re suffering a massive cyber-attack’ then asking for my card details, not so much,” read a tweet from Peter Bradwell, of the Open Rights Group.

Comments from readers on TechWeekEurope’s story from Thursday alleged Avaaz was primarily after money, yet the company did not respond to requests for a response. One blog suggested the fact that the organisation was asking for a defence fund raised “all kinds of alarm bells.”

W. Andrew Jones’ Tumblr blog asked: “What is the severity of the attack, and who is the expert who can corroborate that it is happening? Is there any third-party assessment, beyond Avaaz’s own internal claims?”

“This sets an extremely uncomfortable precedent for other non-profit organisations. To pay for website upgrades or network security, should they also claim to be ‘under attack’ by mysterious corporate cyber attackers? If they actually are ‘under attack’, should soliciting donations via their (still-under-attack) website really be the first action they take?”

This publication drew the blog to Avaaz’ attention, in the hope of a response, asking who its experts were, but we have had no response.

Avaaz certainly spends a lot of money on IT, which may leave some wondering why it needs more for security. The organisation has spent substantial sums on independent contractors, according to its 2009 and 2010 US Internal Revenue Service accounting reports.

In 2009, the organisation paid Paul and Milena Berry, from New York where Avaaz is based, $245,182 for IT consulting work. In 2010, the pair received $294,000, as Avaaz’s revenues grew.

Milena Berry’s LinkedIn profile says she has been Avaaz’s CTO since March 2007. She covers various topics, including security and servers infrastructure as well as software development.

Paul Berry’s LinkedIn profile indicates he was CTO of Avaaz from 2006 to March 2007, when Milena Berry started.Despite leaving Avaaz in 2007, he was still listed as one of the independent contractors for the organisation.

Paul Berry was CTO of the Huffington Post up until the end of 2011. His LinkedIn account says he finshed building “the first phase of Avaaz.org in March”, although does not specify the year. He is now CEO of RebelMouse, a social media startup.

The body’s growing revenue may indicate that it is not desperate for money. In 2009, president Ricken Patel received a $120,000 salary. The following year, this went up to $177,863. The body, which is a “wholly member-funded” organisation, posted a total revenue of $6,664,634 in 2010, up from $4,784,120 in 2009. In 2010, total expenses were $5,574,908. There are no figures for 2011 available yet.

The accounting report for 2010 says “compensation for the executive director was determined by the board based on a study carried out for a comparable organisation.

Avaaz says it has a core team across six continents and thousands of volunteers. It has a member base of 14,267,571.

Are you a security guru? Test yourself with our quiz!