Hackers and Scammers Seek to Exploit Ashley Madison Hack

PHILIPPE LOPEZ/AFP/Getty Images
PHILIPPE LOPEZ/AFP/Getty Images

It will come as no surprise that Internet scam artists, quick to take advantage of every public concern, are looking to prey upon those who fear their husbands or wives might be listed in the database of Ashley Madison clients disclosed by hackers.

Guilty spouses worried that they might be exposed by the data dump will make attractive targets for scammers and pranksters, too.

One immediate threat comes from predators offering fake “check up on your spouse” websites. Several sites have posted searchable databases of the Ashley Madison client lists. Many more sites falsely claiming to offer such search tools are popping up, and advertising themselves with a blizzard of spam email.

The BBC visited a number of such sites and found some of them were designed to trick visitors into providing personal data that could be used to rob them or violate their privacy, or even charge them a fee before granting access to phony Ashley Madison client lists. Others were virus-infested hell-holes, with a pronounced tilt toward the sort of malware designed to trick users into thinking their computers have massive security problems that can only be resolved by paying a fee to a “security service.”

Some miscreants have posted files online that claim to be the full set of Ashley Madison client data, but are in fact huge blobs of junk data infested with viruses. The BBC also raised suspicions that some media outlets are downloading fake Ashley Madison databases, leading to false reports about notable individuals outed as clients.

(It’s worth keeping in mind that the actual Ashley Madison database stolen by the Impact Team hackers contains a huge amount of false data and phony, unverified email addresses – that’s one of the things about the AM service that drew the Impact Team’s ire. Among other things, they charged that the vast majority of the female profiles on AM were fake – an allegation born out by such accounts as the one given to the UK Telegraph on Friday from a former Ashley Madison employee who said she was “told to create hundreds of fake profiles of female ‘members’ to entice men to join up.”)

NetworkWorld warns that the Ashley Madison database is likely to unleash a torrent of spam and spear-phishing emails against every email address contained within. TrendMicro cybersecurity chief Tom Kellerman speculated that an avalanche of emails claiming to be from Ashley Madison representatives, divorce lawyers, private investigators, and other interested parties has “probably already begun in earnest.”

People who are already scared to death about divorce and career suicide from being exposed as Ashley Madison subscribers are more likely to open convincing-looking fake emails from purportedly helpful or intimidating parties. As NetworkWorld notes, scammers have been getting better at tricking people into opening malware-laced emails anyway. The more dangerous variety of “spear-phishing” attack uses personalized emails the target is more likely to open, unwittingly releasing malware code into his system.

This could pose a particular problem for corporate and government IT managers, as many of the email addresses provided by Ashley Madison subscribers originated from such networks. The spear-phishing tidal wave will be washing ashore at every domain included in that client list. This could lead to hacker penetration of corporate, government, and military networks, unless care is taken to fend off that junk email.

NetworkWorld recommends a few security precautions, including filtering both incoming and outbound email traffic related to Ashley Madison, watching for emails that mention divorce attorneys or private investigators, blocking network access to Ashley Madison and related sites, and even proactively checking a reputable copy of the Ashley Madison database to see if a particular corporate network, or the corporation’s employees, are referenced. That way, network security teams can get a heads’-up on possible incoming AM-related threats.

Security expert Brian Krebs, a leader on the Ashley Madison story, further observes that the threat of hard-core extortion looms over AM clients, and even victims who can be tricked into thinking they were on the Ashley Madison list. At first glance, the extortion threat would seem to be minimized, because everyone knows the names are out there – how can you threaten someone with exposure when there is, effectively, no way to prevent his identity from being exposed, sooner or later?

This overlooks the uncertainty surrounding the immense file dumped by the Impact Team hackers. The database is not easy to search, so average Internet users can’t just pop in there and perform a quick check to see if a particular name is on the list. It will take a good deal of time and effort to identify the clients and weed out false data. At this point, everyone knows there is a great deal of false data, so it’s not difficult to frighten a mark into thinking he or she popped up in the Ashley Madison subscriber list, even if the victim never actually visited the adultery website at all. Shakedown artists posing as private investigators or extortionists must figure they have a decent chance of success.

Krebs posted a copy of one such extortion spam email, passed along to him by an email provider who has been taking precautions against the use of his service for Ashley Madison scams, and caught someone trying to send shakedown emails out of his server:

Hello,

Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.

If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:

1B8eH7HR87vbVbMzX4gk9nYyus3KnXs4Ez [link added]

Sending the wrong amount means I won’t know it’s you who paid.

You have 7 days from receipt of this email to send the BTC [bitcoins]. If you need help locating a place to purchase BTC, you can start here…..

Krebs checked the Bitcoin link and found no one had paid this particular shakedown artist off yet, but also established that the target of the email really was an Ashley Madison user.

Of course, the worst-case extortion scenarios involve targets with sensitive government positions. Defense Secretary Ashton Carter has previously stated that the Defense Department will be investigating the Ashley Madison leak. Tom Kellerman of Trend Micro suspects the situation is even more dire than Carter let on, and envisioned that hackers or foreign espionage agents could go after the spouses and other family members of Ashley Madison clients, targeting them with spyware-laced emails promising details about their loved one’s adultery.

COMMENTS

Please let us know if you're having issues with commenting.