You may have been thinking about roses for your sweetie for the holiday. The bad guys focused on florists, too.

Sunday was the Super Bowl for flower sellers—Valentine’s Day, what some say is their busiest day of the year. A perfect time, some criminals decided, for an online attack.

Not only did online traffic increase for their florist customers in the week before Valentine’s Day, say Tim Matthews and Ofer Gayer with Imperva, but so did criminal sieges.

“It seems that not even love is immune to attack,” they wrote in their blog post. “Ninety-one percent of the sites showed attack traffic during that period.”

“We definitely saw bigger and fiercer attacks targeting some of the bigger players, rather than the smaller niche local services, especially when extortionists are involved, as they probably just took the first hits they found on Google for ‘order flowers,’” Gayer told Archer News. Gayer said he is a senior security researcher at Imperva for the Incapsula product line.

They detail one incident where a florist became one of their customers after it had experienced an attack, a DDoS, or distributed denial of service.

A DDos is an attack where the crooks flood a computer system so that it cannot be used, using many different systems in various places, explained Patrick C. Miller of Archer Security Group.

“This ultimately brought the site down with a great loss of revenue,” they said, though they said they were able to help the florist recover.

What the attackers want

The crooks often want bitcoins, according to web security company Sucuri.

The company said victims are receiving ransom notes similar to this one:

Subject: Ransom request: DDOS ATTACK!


We are [Criminal Group].

All your servers will be DDoS-ed starting Friday if you don’t pay 2 Bitcoins @ [BITCOIN ADDR]

When we say all, we mean all – users will not be able to access sites host with you at all.

Right now we will start 30 minutes attack on your site’s IP (victims IP address). It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It’s just to prove that this is not a hoax. Check your logs!

If you don’t pay by Friday , attack will start, price to stop will increase to 4 BTC and will go up 20 BTC for every day of attack.

This is not a joke.

Sucuri said you should not pay the ransom requests.

“If you have to spend the money, do so to protect yourself, but understand they may still attack you even if you pay the ransom,” Sucuri’s post said.

Gayer agrees.

“Paying the attackers is not a valid option at all, as there is very little guaranty that they will actually stop, which is much like real-life extortions,” he said to Archer News.

He said the florists who were attacked were protected by his company’s products.

Not uncommon

Gayer said e-commerce is one of the most popular sectors for “seasonality” attacks.

The DDoS attack is not uncommon leading up to big events, reported The Register.

People were anxiously awaiting the results of the Irish lottery last month with its $13 million jackpot. But on the day of the draw, a DDoS attack shut down the lottery website and ticket machines, the lottery operator said, according to the Irish Times. 

An online poker company had to cancel a million-dollar tournament in December 2014 after a DDoS, reported Poker News Daily.

Winning Poker Network’s CEO Phil Nagy said in the article, “Whoever was causing the Internet disconnections was waiting for the million [dollar guaranteed tournament]. The second that it started, it [the attack] started.”

The same network was hit again in September 2015, according Poker News Daily, as the company prepared for another million-dollar tournament.

What can you do?

DDoS attacks hit record numbers in 2015, reported Akamai, with criminals using hackers for hire to do their dirty work.

Matthews and Gayer give advice on how to protect yourself, especially if you are on an online florist facing Mother’s Day and other holidays to come.

First, monitor your traffic, looking for abnormalities like heavier than usual traffic spikes and new visits from unfamiliar IP addresses and geolocations, they reported.

“Any unusual activity could be ‘dry runs’ by attackers foreshadowing an imminent full-blown attack,” they said.

Watch your social media platforms and sites like for discussions that could indicate an attack.

Consider using a DDoS testing or penetration testing to see if you are ready for such an attack, they said.

And finally, they said, create a response plan and response team, in case of a successful attack.

Victims should contact their Internet service providers when attacked, said Miller.

“They should not only contact their ISPs when the attack starts, but find out whom to contact at your ISP in advance. Be prepared. Especially if you have a date/time sensitive business that relies on Internet traffic,” Miller added.

Researcher Lee Munson at told SCMagazine that victims should contact law enforcement immediately and issue a statement to customers.

“Under no circumstances should any business cave in and pay up as that only marks the business as a future target for the same or other criminal gangs,” he said in the article.