And so it has begun.
Less than a week after hackers behind the Ashley Madison hack released some 30-40 million member records to the greater public, bad actors with a preference for extortion have started attempting to blackmail users for Bitcoin.
According to KrebsonSecurity who broke the original hacking story, blackmailers are sending emails to users of the site saying that they will not expose their membership of the extra-marital affairs site in return for a specific Bitcoin payment, usually 1 Bitcoin plus a fraction of a Bitcoin, with the fraction acting as the identifier as to who was paying to not be exposed by the particular blackmailer.
One such email reads:
Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.
If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:
Sending the wrong amount means I won’t know it’s you who paid.
You have 7 days from receipt of this email to send the BTC [bitcoins]. If you need help locating a place to purchase BTC, you can start here…..
At least in the case of the blackmailer featured in the email, the address (linked above) shows that so far victims have not been taking the bait, with not even one full Bitcoin being paid to the linked wallet at any time during its history.
These early Blackmail attempts may be simply the tip of the iceberg, with Chief Cybersecurity Officer at Trend Micro Tom Kellerman saying that along with further blackmail attempts, criminals will leverage the Ashley Madison data to conduct spear-phishing attacks aimed at delivering malicious software such as ransomware,
“There is going to be a dramatic crime wave of these types of virtual shakedowns, and they’ll evolve into spear-phishing campaigns that leverage crypto malware,” Kellerman said. “The same criminals who enjoy deploying ransomware would love to use this data.”
Worse, at least from a national security perspective, is that criminals could also use the data to blackmail Government and military employees, a significant number of whom were stupid enough to use their work email addresses.
“Something must already be going on for [the Secretary of Defense] to actually have a press conference on that,” Kellerman added. “We may actually see spear-phishing campaigns against spouses of individuals who are involved in this, attacks that say, ‘Hey, your wife or husband was involved in this site, do you want to see proof of that?’”
Expect more news on Ashley Madison related blackmail and extortion attempts in the coming weeks and months.
Update: check here for details on how to search the Ashley Madison hacked/ leaked database online.