New Extortion Campaign Threatens Victims of the 2015 Ashley Madison Breach
February 03, 2020
A new extortion campaign is targeting victims of the Ashley Madison data breach that happened five years ago, Vade Secure reports.
Ashley Madison is a dating website marketed to people who want to explore affairs outside their current relationships. Avid Life Media, the company behind the site, was hacked in 2015 by a group known as Impact Team. The hacking group threatened to release sensitive information harvested from the site if Avid Life didn’t shut down Ashley Madison and another similar website. When the company didn’t do so, Impact Team posted the data of millions of users on the dark web.
The incident was milked by cybercriminals who started sending email threats soon after the data was leaked. The leaked data was used in another blackmail attempt in 2017, and it appears the incident is still being used to extort victims years after the original breach.
The actors behind this new campaign tell victims that they will publicize proof of their Ashley Madison profile as well as other “embarrassing” activities. Like in other recent sextortion cases, the attackers demand bitcoins as payment. The amount (US$1,000) was not revealed in the email, but in a password-protected PDF attachment. The email body explains that it’s meant to avoid detection by email filters that usually can’t scan what’s inside attachments. The attached file includes a QR code that links to the URL for the transaction.
The attackers gave the victims a period of six days after the email was sent before the threat actors supposedly follow through with their threat.
It is plausible that the miscreants may not have the actual information of the victims, and they’re simply capitalizing on the breach for a socially engineered attack. This does not mean that the threat is any less potent. Victims who believe that the attackers do have the data are still likely to give in to the demand out of fear and distress.
Despite this, we can't rule out the possibility that the threat actors do have the data leaked from Ashley Madison. How cybercriminals can exploit victims of a data breach that happened half a decade ago may be unsettling, but also unsurprising. Once posted publicly on the internet, personal information are easily stolen, and those who own them are left with little to no control over who accesses their data. The blackmail may not just affect the victims themselves, but also people related to them. The breached personal data can even be possibly used to attempt to breach the companies the victims work for.
The reuse of exposed personal information can be done not just for extortion, but also for other attacks such as credential stuffing. Credential stuffing is the automated injection of breached usernames and passwords with the use of botnets in an attempt to access online services.
The Ashley Madison breach and its enduring consequences is not just about the divisive matter of infidelity, but also about the privacy of personal information on the internet. To avoid being victimized by data breaches, it is advised to store data in secure storage spaces and to protect not just endpoints, but all components of multilayered systems.
In cases where exposed data is being actively used in extortion campaigns, victims are advised against paying or even simply responding to the emails, as doing so might make them more susceptible to more attacks.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Posted in Cybercrime & Digital Threats