Data Breach , Data Loss

Ashley Madison: Spam, Extortion Begins

Attackers, Investigators Have Begun Using Leaked Data, Experts Warn
Ashley Madison: Spam, Extortion Begins

Organizations are being warned to beware of now-underway spam campaigns and extortion attacks that may target any of their employees who are current or former users of the pro-adultery Ashley Madison online dating site (see Ashley Madison Fallout: 8 Security Takeaways).

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

Meanwhile, the attackers behind the data breach of Ashley Madison - tagline: "Life is short, have an affair" - are continuing to follow through on their July threat to release details about many of the site's 37 million members, unless parent company Avid Life Media shuts down three of its sites, which it has declined to do.

Notably, the group called the "Impact Team" has released a third batch of stolen data and suggested they're sitting on up to 300 GB of stolen information. The third archive extracts to a size of about 30 GB and appears to contain Ashley Madison CEO Noel Biderman's Gmail spool, comprising about 200,000 individual email messages, Doug Hiwiller, a principal security consultant at information security consultancy TrustedSec, says in a blog post. "This will be the extent of our analysis as we do not plan on reviewing any emails, or anything relating to the dump that is around an individual's personal account," he says. But that does not mean others will not do so. "The information is public, and out there."

That data dump follows the "Impact Team" last week also releasing via BitTorrent a 10 GB compressed file containing stolen information, followed by a 20 GB compressed file, although the latter appeared to be partially corrupted. "Hey Noel, you can admit it's real now," the attackers taunted Biderman in a message included with the second dump.

Extortion Alert

In the wake of the data leaks, reports of related extortion attacks have already begun to surface. Rick Romero, the IT manager at Milwaukee-based email provider VF IT Services, reports seeing at least one extortion campaign underway - which he has blocked - that claims that the recipient's email address was found in the Ashley Madison dump, and says that "if you would like to prevent me from finding and sharing this information with your significant other," the recipient must send 1.0000001 bitcoins - worth about $225 - to a specified bitcoin wallet within seven days, security blogger Brian Krebs reports.

In the wake of the Ashley Madison data leak, Microsoft developer Troy Hunt, who runs the free "Have I Been Pwned?" service, which emails people when their email addresses appear in public data dumps, has added the leaked email addresses to his service. But he says he does not allow people to search for the presence of the email addresses in the Ashley Madison dump, and he has not been naming the Ashley Madison dump when alerting related victims, given the sensitive nature of the information.

That sensitivity is reflected by a report of what may be the first suicide tied to the breach. One San Antonio, Texas, city employee whose details were included in the leak committed suicide Aug. 20, although officials say it is not clear if the man's death is related to the leak, the San-Antonio Express News reports. Officials also note that it would have been unlikely that a city employee could have accessed Ashley Madison from their work machine, since social networking and dating sites are routinely blocked.

Search Service Questions

Unlike Hunt, however, one online investigations company - called Trustify - has created a site where people can search the leaked Ashley Madison data for specific email addresses. And according to a Reddit discussion, the site has reportedly begun emailing people the following message whenever someone searches for - and finds - their email address in the data dump:

"You or someone you know recently used our search tool to see if your email address was compromised in the Ashley Madison leak, and we confirmed that your details were exposed. This sensitive data can affect your love life, employment, and follow you across the web forever. There are ways to hide the exposed details, but first you need to see what information can be found across the web. Talk with our experienced investigative consultants to learn how you can find out what incriminating information is available and could ruin your life."

"We're averaging 500 searches per second," Danny Boice, who launched Trustify in March - as a kind of Uber for private investigations - tells CNN.

Some commentators, however, have questioned the company's tactics, taking to Reddit to liken the firm to ambulance chasers, and suggest the firm is "morally bankrupt" for attempting to profit on the Ashley Madison breach.

Security experts also warn that some search sites may be harvesting search information for unknown reasons. "Be careful about entering *any* email address into Ashley Madison search sites," Hunt warns.

Leaked Data Cannot Be Hidden

Also, any suggestion that leaked Ashley Madison data can now somehow be hidden also misses the mark, Hunt warns. "Unfortunately that's simply not possible - once information has been sufficiently socialized and redistributed, which the Ashley Madison data has certainly been - the exposure is irretrievable," he says in an online Q&A that has been driven by the "huge number" of related queries he has received from breach victims. "At this point it is better to focus on damage control - consider the impact of your Ashley Madison membership being known by everyone and what actions you might take in order to minimize the impact - i.e. discussing with a spouse."

In terms of the leaked data, Hunt notes that "the earliest record of a member in the database shows a creation date of 17 January, 2002," while "the earliest payment record appears as 21 March, 2008."

Breach Triggers Lawsuits

The Ashley Madison hack and data dump has already triggered related lawsuits, including a Canadian lawsuit seeking class-action status, as well as a U.S. suit filed by a customer, "Jane Doe," who claims that the company's "full delete" service failed to remove all of her customer details from Avid Life Media's systems, as advertised (see No Surprise: Ashley Madison Breach Triggers Lawsuits).

Another former customer tells the Guardian that his details appeared in the dump, despite his paying £15 to have them removed. When he emailed Avid Life Media, the former customer says he received the following response: "Our records indicate that your account was deleted using the Full Profile Deletion option on 7 July, 2015. At Ashley Madison your privacy is of the utmost importance to us. Rest assured that the feature you chose is the best way to make sure your profile is completely removed from our service. ... It is like you were never even here."

But as the former customer notes, that does not explain why his supposedly excised personal details were included in the dumped data. He plans to sue for damages.

Hackers Detail Attack

One potential explanation for why users of Ashley Madison's paid-delete service may have seen their personal details still appear in the breach could be because the Impact Team may have had access to all of the data, thus rendering moot any attempt to remove it from Avid Life Media's servers.

The attackers, in an interview, have provided further details about the hack, as well as the state of Avid Life Media's defenses. "We were in Avid Life Media a long time to understand and get everything," Impact Team tells Vice via email. The publication says that the attackers' email used the same PGP key that they have employed to sign their data dumps.

The attackers report that they hacked into Avid Life Media's systems "a long time ago," and amassed an extensive amount of information from the company: "300GB of employee emails and docs from internal network. Tens of thousands of Ashley Madison user pictures. Some Ashley Madison user chats and messages."

The hackers claim that hacking Avid Life Media was not difficult. "We worked hard to make fully undetectable attack, then got in and found nothing to bypass." The site's security, they say, was "bad," and monitoring appeared to be scarce or nonexistence. "Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers."

Avid Life Media did not respond to a request for comment on the hackers' claims.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network