Almost five years after the Ashley Madison data breach, hundreds of affected website users are being targeted by a new extortion attack last week.
The 2015 data breach of the adultery website results in 32 million accounts to be publicly dumped online, including victims’ names, passwords, phone numbers, credit card information etc. Up to a year after the hack, the affected users were hit with attacks, from credit card scams to spam emails.
Now, the attackers are exploiting the data of breached Ashley Madison again in a new highly-personalized and targeted attacks. According to the researchers at Vade Secure, extortionists are sending emails targeting affected Ashley Madison users once again.
Vade Secure has detected hundreds of examples of this extortion scam, primarily targeting users in the United States, Australia, and India. More than 32 million accounts were made public in the breach and it is expected to rise.
Victims are receiving emails threatening to expose their Ashley Madison accounts and their embarrassing data to family and friends on social media and via email, unless they pay a Bitcoin ransom (around 0.1188 Bitcoin, or $1,059).
According to the researchers these emails are highly personalized with information from the Ashley Madison breach. It includes the impacted user’s names, bank account numbers, telephone numbers, addresses, birthdays, Ashley Madison site info such as the signup dates and answers to security questions.
Besides the shame of using an adulterous website user, the cybercriminals also leverage embarrassing previous purchases made by victims.
The emails sent by the attackers contained an attached, password protected PDF, which includes details like when the recipient signed up for the site, their user name, and even interests they checked on the site when looking for an affair.
It is also interesting to note that the ransom demand is also included in the pdf rather than in the email body. It is acknowledged in the mail that this is done to avoid detection by email filters, many of which are unable to scan the contents of files and attachments.
The PDF file also includes a QR code, for victims who are using a compatible mobile payment app to scan and make the payment.
The researchers state that the QR code is a common phishing technique used to avoid detection by URL scanning or sandboxing technologies. It’s because email filters do not feature detection tools for QR code technology.
This email also has a deadline of six days after the email was sent for the Bitcoin payment to be received, to prevent the recipient’s Ashley Madison account data shared publicly.
The researchers believe that this kind of attack by the cybercriminals to utilize the actual data from previous breaches in extortion scams would be a trend that will proliferate in 2020
Ashley Madison extortion scam is a perfect example that a data breach is never one and done. The leaked data is always used to launch additional email-based attacks, including phishing and scams.