How much is keeping a secret worth? According to hackers taking advantage of the Ashley Madison hack, it’s worth only up to one Bitcoin – around 230 US dollars at current exchange rates.
Soon after the data from the breach was leaked to the public, we knew that there would be some sort of other threats to jump on the bandwagon. The leak dealt with confidential data that Ashley Madison members are keen to remain a secret. With much at stake, we knew that it would attract cybercriminals hoping to make a profit from the situation.
It didn’t take long – we soon started receiving various spam messages taking advantage of this fact. We believe that these messages are being systemically sent to users whose emails were found in the Ashley Madison database.
Some messages attempted to blackmail the recipient into paying some money (initially around one Bitcoin; later messages demand half of that). If the user didn’t pay, up their friends and family would be notified. Ostensibly, this list had been obtained from the user’s publicly available Facebook friends list. Emails of this type frequently have the name Ashley Madison or Avid Life somewhere in their sender name, perhaps to make the emails look more believable. (As a result, the domains used in these addresses are easy to spot and are quickly being taken down.)
Figure 1. Blackmail message (Click to enlarge)
Other variants pretended to be from the Impact Team and “offered” the user the chance to remove their info from a putative third leak of Ashley Madison data for a similar amount:
Figure 2. Message supposedly from Impact Team (Click to enlarge)
Some variants are trying to “raise money” by pretending to be lawyers preparing a class-action lawsuit against the company, and asking would-be “victims” for money:
Figure 3. Message related to a class-action lawsuit (Click to enlarge)
What advice do we have to users who receive these emails? Obviously, the first bit of advice is: don’t pay any money. These scammers are monetizing fear by playing with psychology: users will want to keep this type of behavior secret. While affected users might be tempted to pay, the stolen information is already out there and can’t be deleted. We would also point out that not all “members” did so voluntarily: anyone could sign up anybody for an account without their knowledge.
We will continue to be on the look out for any more threats to come out of this event.
With analysis and information from Jon Oliver and Ryan Flores.