Trouble is continuing to follow Ashley Madison users. When the self described cheating website was hacked early this year, by the Impact Team, roughly 37 million potential adulterers personal information was exposed.
Ashley Madison’s parent company, Avid Life Media, was originally given the opportunity, by the Impact Team, to pay what amounted to a ransom in the form of taking down both their Ashley Madison and Established Men websites, in order to not have their user’s information splashed all over the Internet. However they chose not to “pay” and now many of their users are paying a heavy price, but not necessarily in the way you might be imagining.
Oh I’m sure there are plenty of spouses who searched the indexed lists of email addresses sadly to find their husband’s name or email there. I leave out wives as, most of the actual users were men, 90-95%. As Impact Team wrote, “Keep in mind the site is a scam with thousands of fake female profiles… Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.”
Chances are that distinction doesn’t matter one bit, so now we enter onto the next phase, creative online criminals using the dumped data to extort money from users.
The story being played out over and over again goes something like this, you receive an email with the subject “You got busted.” First question, do you open it or delete it, well if you’ve got something to hide you probably open it.
The body of the message reads something like this:
Unfortunately your data was leaked in the recent hacking of Ashley Madison and I now have your information. I have also used your user profile to find your Facebook page, using this I can now message all of your friends and family members.
If you would like to prevent me from sharing this dirt with all of your known friends and family (and perhaps even your employers too?) then you need to send exactly 2 bitcoins to the following BTC address.
You can buy Bitcoins using online exchanges easily. If the Bitcoin is not paid within 3 days of (specific date) then my system will automaticaly message all your friends and family. The bitcoin address is unique to YOU.
Consider how expensive a divorce laywer is. If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends. What will your friends and family think about you?
Will this threat of extortion work? In the words of Toshiro Nishimura a security researcher with Cloudmark, “this extortion campaign could have yielded a worthwhile sum for very little effort.”
Toshiro Nishimura did specific research on an email that was requesting 1.05 bitcoins in payment. Such a specific payment allowed for Nishimura to look for bitcoin transactions for only that amount to newly created Bitcoin wallets, what he and his researchers found shows the success of extortion schemes like this. “Specifically, we found 67 suspicious transactions totaling 70.35 BTC or approximately $15,814 USD within the time frame of approximately 4 days to (Bitcoin) addresses with no previous activity.”
Over $15k in 4 days and that’s just one of the groups or individuals who have taken the dumped data and are attempting to profit.
One thing not addressed by any study I’ve seen is the number of individuals who have received multiple extortion emails and how many of those made more than one payment to keep their infidelity / attempted infidelity secret.
Most experts agree that considering the number of users being contacted that the threat of exposure is very minimal. This is a tactic based solely on fear. These criminals are looking for those so afraid of being exposed that they will pay. Actually taking the time to research each potential victim’s social media information would take a lot longer than sending out the same email to millions of addresses and hoping that even a very small percentage pay.