Sextortion Scammers Tap Four-Year-Old Leak From Infidelity-Focused Dating Site
Organizations that suffer a data breach will often alert regulators and victims, restore systems and get back to business. But for individuals whose personal details were exposed, the impact of a data breach may last forever.
Witness the 2015 data breach of extramarital dating site Ashley Madison, perpetrated by a group calling itself the Impact Team, which leaked 30 GB of data about subscribers. Exposed information, comprising 36 million accounts, included customer names and email addresses, postal codes, GPS data and their dating preferences.
“Sextortion remains one of cybercrime’s oldest professions.”
Divorce attorneys reportedly had a field day.
Now scammers are belatedly getting in on the action, according to Ed Hadley at email security firm Vade Secure. The company has been seeing new shakedown attempts that arrive via email and make reference to recipients’ Ashley Madison accounts and demand a ransom – payable in bitcoins – in exchange for not publicizing the information to others.
The Ashley Madison website in 2015
“The target receives an email threatening to share their Ashley Madison account, along with other embarrassing data, with family and friends on social media and via email,” Hadley says in a blog post.
One version of the note the firm has intercepted demanded a payment of 0.1188 BTC ($1,111) within six days of the email having been sent. “In the last week, Vade Secure has detected several hundred examples of this extortion scam, primarily targeting users in the United States, Australia and India,” Hadley says.
Redacted email to alleged Ashley Madison subscriber (Source: Vade Security)
Sextortion, With an Extramarital Twist
Sextortion remains one of cybercrime’s oldest professions (see: Sextortion Scam Wields Stolen Passwords, Demands Bitcoins).
One variation of this scam that’s been making the rounds in recent years has featured emails that include a recipient’s password in its subject line and claim in the body of the message that the attacker intercepted the email when the victim was visiting an adult content site. Often, the blackmailer claims to have video both of what the recipient was watching on the site – “you have a nice taste lmao,” one shakedown note reads – as well as video of the user via their webcam.
Excerpt from a sextortion campaign’s shakedown note, circa-2018 (Source: Barracuda Networks)
These personalized emails, however, are simply a scam facilitated by more than two decades’ worth of data breaches. Vast lists of email addresses – which function as an individual’s username for many sites and services – and associated passwords have leaked or been stolen from countless services.
As a result, scammers now have plenty of ammunition for attempting to convince individuals that they not only possess their old password, but also more incriminating evidence.
In the case of the Ashley Madison sextortion attack now making the rounds, however, this might actually be true. Vade Secure says victims receive an email that includes a password-protected PDF, which “includes additional info from the Ashley Madison data breach, including when the recipient signed up for the site, their username and even interests they checked on the site when seeking an affair.”
Thanks to the Ashley Madison breach and Impact Team leaking customer data, creating these types of shakedown emails requires nothing more sophisticated than some low-level mail merge work – plus, of course, a propensity to try and scam individuals out of bitcoins.
Again, it’s important to emphasize that although organizations suffer data breaches, victims are so often left to pick up the pieces, especially when their personal details get exposed.
Not so the corporate entity known as Ashley Madison, however, which has moved on. After a change in leadership, some frank conversations with regulators and settling a U.S. class-action lawsuit for $11.2 million, the dating website was not only back in business, but had reportedly received a boost from all of the publicity (see: Do Data Breaches Permanently Affect Business Reputations?).
Blackmail Works for Espionage Too
Ashley Madison may seem like the face of indiscretion – thanks to the breach, users of the service have left themselves open to blackmail, and not just from scammers wielding bulk emailing software.
But many other breaches, and not just of infidelity-focused dating sites, have put individuals at risk, and there’s nothing they could have done to prevent it.
For example, take the 2015 breach of the U.S. Office of Personnel Management. The breach exposed not only the name and personal details of millions of U.S. government employees and contractors, but also sensitive information from background checks designed to see if they could be trusted with access to classified information.
Published judgments from the Defense Department’s Defense Office of Hearings and Appeals offer insights into the types of information that would be contained in these background forms, including details of sexual behavior, extramarital affairs, alcohol problems and family disputes (see: Analysis: Why the OPM Breach Is So Bad).
Unlike Ashley Madison, stolen OPM details have never come to light. Many security experts suspect that the OPM breach was a Chinese intelligence operation designed to identify individuals who could be recruited or blackmailed to further Beijing’s aims.
“In espionage they talk about susceptibility and vulnerability as the two angles to explore for recruitment,” the operational security expert known as the Grugq said at the time. “China has all that data now.”
For victims of the OPM breach, as with Ashley Madison and countless other data breaches, the risk posed by their personal information now being at large will last forever.