Victims of the Ashley Madison data breach are again under attack, this time, via email.
In 2015, ‘Impact Team’ dumped 32 million Ashley Madison users’ personal information, credit card and payment details, passwords, security question answers and ‘preferences’ on the dark web, after Avid Life Media refused to take the site and ‘Established Men’ down.
Now, almost five years later, scammers are abusing that information to extort Bitcoin from those users.
Recently, targets have received “highly personalised” emails telling them to pay a ransom within six days of the email send date, or have their Ashley Madison account and other embarrassing details sent to family and friends via social media and email, Ed Hadley, Senior Director, North American Marketing at Vade Secure, the company that discovered the scam, said in a blog post.
Notably, the ransom demands are written in a password-protected PDF document, rather than the email body, to prevent detection from email filters, Hadley said.
These PDFs also include QR codes which can evade detection by URL scanners and sandboxing technologies, the email security firm added.
The scam mirrors ‘sextortion scams’ which have been ongoing since July 2018, the blog post read.
“Like this attack, sextortion uses breached data (typically an old password) to personalize the messages and convince targets of the legitimacy of the threat. Moreover, while they initially included Bitcoin URLs, sextortion has evolved to include QR codes and even a single image (a screenshot of the plain text email itself) to avoid detection by email filters.”
Already, the company has “detected several hundred examples of this extortion scam, primarily targeting users in the United States, Australia, and India”, with “many more” expected in coming weeks. It also believes the threat will “evolve in response to tweaks by email security vendors”.
With over 5183 data breaches reported in the first nine months of last year exposing 7.9 billion records, Vade Secure expects to see “a lot more” personalised email scams in 2020.
End users should be educated about “the need for strong passwords, good digital hygiene, and ongoing security awareness training”, Hadley warned.