Years after the massive data breach suffered by the infamous dating website Ashley Madison, a new extortion scam targeting users of the dating service has surfaced.
In July 2015, a group of hackers identifying themselves as The Impact Team gained access to the databases of Ashley Madison, stealing the sensitive information, nude photographs, and credit card details of 37 million users.
Nearly five years later, email security company Vade Secure found that several Ashley Madison users had received an email from anonymous senders threatening to share their account details, along with other embarrassing information, to the users’ family and friends. The emails demanded that in exchange for not sharing the details, the users pay the Bitcoin ransom equivalent of about $1,059.
In a blog post, Vade Secure reported that the emails are “highly personalized” with information from the Ashley Madison data breach. The subject line of the emails contain the target’s name and bank, while the body of the message includes details such as the user’s bank account number, telephone number, address, and birthday, as well as Ashley Madison-specific details – sign-up date, answers to security questions, and even references to past purchases made on the website.
The sender’s financial demands are not found anywhere within the email’s body. Instead, they are located inside an attached PDF that is password-protected. This roundabout approach prevents the email from being caught by email filters. The PDF also contains more details from the breach as proof, and sets a deadline of six days after the email was sent before the sender leaks the dating website info to the victims’ family and friends through either social media or email.
“This Ashley Madison extortion scam is a good example that a data breach is never one and done,” Vade Secure warned in its blog post. “In addition to being sold on the dark web, leaked data is almost always used to launch additional email-based attacks, including phishing and scams such as this one.”