Ashley Madison Data Breach Extortion Scam Targets Hundreds of Victims

Different data breaches have different consequences. If an internet discussion board is hacked, for example, the damage is usually limited to usernames, email addresses, and, in some cases, passwords. If an e-commerce website or a payment service provider is compromised, things could get a bit uglier because they store payment information. As quite a few people can testify, however, a successful attack on websites like Ashley Madison can be even more damaging.

Ashley Madison is an online dating service for people who want to have an affair, and as you probably know, it got hacked in 2015. Close to 10GB of sensitive data was leaked, and the effects on Ashley Madison's users were profound. Reputations and families were put in serious danger, and for some, the possibility of public shaming and embarrassment led to suicide.

Many came out unscathed, though, and moved on with their lives. They were probably hoping that the whole thing is now behind them, but they recently found a batch of spam messages in their inboxes, which proved that this is not the case.

Five years on, cybercriminals are still trying to capitalize on the Ashley Madison hack

Last week, researchers from Vade Secure reported on a new spam campaign that was targeting victims of the Ashley Madison data breach. It's far from the usual affair. Unlike run-of-the-mill spray-and-pray campaigns that hit thousands or even millions of people, this time around, the attack is personalized for every single target and can be extremely destructive.

The spammers put the victim's Ashley Madison username in the subject of the email in order to attract their attention. The body of the message begins with the same username and the words "I know everything about you." Further down, spammers try to prove that this statement is true.

They add details stolen from Ashley Madison that include the victim's phone number, claimed date of birth, physical address, account creation date, and the IP from which the account was created.

When Ashley Madison got hacked, the leaked data included, among other things, transaction details and bank account numbers, and sure enough, the emails also contain information on online purchases, which the victim probably prefers to keep private. It's difficult to say if this particular piece of information is coming from Ashley Madison, though. For all we know, in fact, it might not even be real. Vade posted a screenshot, in which the spammers show that they have details on an online order for "male assistance products" from late 2018 – more than three years after the Ashley Madison breach. The rest of the information in the email, however, is apparently completely legitimate, and you probably won't be too surprised to find out that the hackers are threatening to show it to the victim's friends and family.

Some crypto coins can stop this, of course. To ensure that the message gets past modern spam filters, the scammers opted not to include any payment demands in the body of the email. Instead, they attach a password-protected PDF file that contains all the instructions, including a QR code for extra convenience. This is a novel technique. The researchers did note that it's effective, though, which means that we'll likely see it in the future as well.

A sextortion scam with a twist

The current campaign is reminiscent of a specific type of sextortion scam that became extremely popular with cybercriminals in the summer of 2018. Back then, the spammers were trying to blackmail victims by threatening them to leak embarrassing footage, which had been recorded through the victim's allegedly hacked web camera. Few people would fall for these claims, however, which is why the spammers also included one of the user's passwords in the emails. They were getting the passwords from online databases that had been leaked during unrelated data breaches, and for the most part, the credentials were old and no longer valid. Nevertheless, the scammers believed that they would trick the victims into thinking that their laptops had really been hacked and thus proceed with the payment.

Fundamentally, the principle is the same here. The hackers claim that they're about to leak some damaging information about their victims, and only a ransom can stop this from happening. The difference is, however, that the videos from the old sextortion scams are not real, whereas the leaked Ashley Madison details are.