People who cheat on their partners are always open to extortion by the parties involved. But when the personal details of millions of cheaters get posted online for anyone to download — as is the case with the recent hack of infidelity hookup site AshleyMadison.com — random blackmailers are bound to pounce on the opportunity.
According to security firms and to a review of several emails shared with this author, extortionists already see easy pickings in the leaked AshleyMadison user database.
Earlier today I heard from Rick Romero, the information technology manager at VF IT Services, an email provider based in Milwaukee. Romero said he’s been building spam filters to block outgoing extortion attempts against others from rogue users of his email service. Here’s one that he blocked this morning (I added a link to the bitcoin address in the message, which shows nobody has paid into this particular wallet yet):
Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.
If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:
1B8eH7HR87vbVbMzX4gk9nYyus3KnXs4Ez [link added]
Sending the wrong amount means I won’t know it’s you who paid.
You have 7 days from receipt of this email to send the BTC [bitcoins]. If you need help locating a place to purchase BTC, you can start here…..
The individual who received that extortion attempt — an AshleyMadison user who agreed to speak about the attack on condition that only his first name be used — said he’s “loosely concerned” about future extortion attacks, but not especially this one in particular.
“If I put myself in [the extortionist’s] shoes, the likelihood of them disclosing stuff doesn’t increase their chance of getting money,” said Mac. “I just not going to respond.”
Mac says he’s more worried about targeted extortion attacks. A few years ago, he met a woman via AshleyMadison and connected both physically and emotionally with the woman, who is married and has children. A father of several children who’s been married for more than 10 years, Mac said his life would be “incredibly disrupted” if extortionists made good on their threats.
Mac said he used a prepaid card to pay for his subscription at AshleyMadison.com, but that the billing address for the prepaid ties back to his home address.
“So they have my home billing address and first and last name, so it would be relatively easy for them to get my home records and figure out who I am,” Mac said. “I’ll accept the consequences if this does get disclosed, but obviously I’d rather not have that happen because my wife and I are both very happy in our marriage.”
Unfortunately, the extortion attempts like the one against Mac are likely to increase in number, sophistication and targeting, says Tom Kellerman, chief cybersecurity officer at Trend Micro.
Kellerman is convinced we’ll see criminals leveraging the AshleyMadison data to conduct spear-phishing attacks aimed at delivering malicious software such as ransomware, a different type of extortion threat that locks the victim’s most treasured files with a secret encryption key unless and until the victim pays a ransom (also in Bitcoins).
“There is going to be a dramatic crime wave of these types of virtual shakedowns, and they’ll evolve into spear-phishing campaigns that leverage crypto malware,” Kellerman said. “The same criminals who enjoy deploying ransomware would love to use this data.”
The leaked AshleyMadison data could also be useful for extorting U.S. military personnel and potentially stealing U.S. government secrets, experts fear. Some 15,000 email addresses ending in dot-mil (the top-level domain for the U.S. military) were included in the leaked AshleyMadison database, and this has top military officials just a tad concerned.
According to The Hill, the U.S. Defense Secretary Ash Carter said in his daily briefing Thursday that the DoD is investigating the leak.
“I’m aware of it, of course it’s an issue, because conduct is very important,” Carter told reporters at the briefing, The Hill reported. The publication notes that adultery in the military is a prosecuteable offense under Article 134 of the Uniform Code of Military Justice. Maximum punishment includes dishonorable discharge, forfeiture of all pay and allowances, and confinement for one year. As such, Carter told reporters that service members found to have used adultery website Ashley Madison could face disciplinary action.
Kellerman said attacks against military personnel who used AshleyMadison may well target spouses of people whose information is included in the database — all in a bid to infect the spouse as a way to eventually steal information from the real target (the cheating military husband or wife).
“Something must already be going on for [the Secretary of Defense] to actually have a press conference on that,” Kellerman said. “We may actually see spear-phishing campaigns against spouses of individuals who are involved in this, attacks that say, ‘Hey, your wife or husband was involved in this site, do you want to see proof of that?’
And the proof, in this scenario, would be a a booby-trapped attachment that deploys spyware or malware.
Mac, who’s not a military man, says he doesn’t regret the affair he had via AshleyMadison; his only regret is not finding a way to keep his home address out of his records on the site.
“I regret using my home address and some of my personal information that AshleyMadison didn’t take as good care of as they should have,” he said. “But I really, I’m mad these hackers feel it’s so important to force the hand of people that have a different outlook on life.”
The AshleyMadison data is leaked on various sites, but the data itself is not easily searchable by folks who aren’t familiar with raw database files. However, several sites have since popped up that allow anyone to search by email address to find if that address had an account at AshleyMadison.com. True, AshleyMadison.com did not always verify email addresses, but some of these AshleyMadison search services coming online will indicate whether the associated email address also has a payment record — a marker which could be useful to extortionists.