Ashley Madison: How criminals exploit stolen data


Ashley Madison Hack By Michael Shuff | 25 August 2015

 

group calling themselves Impact Team is claiming they are behind a huge data leak – one that could turn out to be the most embarrassing ever for people who thought their private extra-marital affairs were, well, private. But what else can the bad guys do to hurt Ashley Madison users?

7Safe’s Cyber Security lead, Steve Bailey, advises on what criminals can do with the data appearing on the dark web

The Impact Team’s manifesto, which appeared online in July, claimed that they have taken over Avid Life Media's "entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases ...". Some of the details were reported in Online Cheating Site AshleyMadison Hacked, on the KrebsOnSecurity site.

The team responsible for the attack and the subsequent dumping of data for public consumption may include a former employee or contractor that "at least at one time had legitimate, inside access to the company's networks," Avid Life Media's CEO Noel Biderman told Brian Krebs. This group does not appear to have any connection to Anonymous or Lizard Squad and we don’t seem to know much about them – other than the fact that they have managed to worry millions of people who have at some time used the Ashley Madison site.

Whilst it is unclear how Impact Team managed to breach Ashley Madison’s security, the claim that personal data including email addresses, partial records of payment card numbers and even the users’ sexual preferences, was stored on the company’s systems in an unencrypted, plain text, would have made the hackers’ job a great deal easier if this turns out to be the case.

Although 7Safe has not independently verified the authenticity of the data dump on the dark net, those who have investigated it so far have said it contains users' names, addresses, phone numbers, encrypted passwords, and 36 million email address. Online security magazine CSO is also reporting that the leak contains over 15,000 government or military email addresses (ending .mil or .gov).

Further information about what is included in the dump can be read in the BBC’s report:

Ashley Madison: What's in the leaked accounts data dump?

What was the likely motive for the attack?

In its manifesto, the group has claimed that, "we have hacked them completely”, saying that they take issue with what they call the Avid Life Media's "fraud, deceit and stupidity," that, they allege has resulted in the company making millions of dollars through fraudulent services, like offering users the ability to have their information permanently deleted from its system for a fee. Impact Team claims this service is "a complete lie;" but Avid Life Media has defended it.

Q&A with Steve Bailey

How will criminals use the data that has been stolen the Ashley Madison website and dumped on the dark web? 

The data that has been taken and made publicly available will be added to the already significant pool of useful information used by those with malicious intent. Two of the main ways they will do this are by firing the log in credentials as is at many online services such as email to see if they can find sites where people have used the same log in name/password.

They will also use the information they have gathered to send out phishing emails in the hope that someone will click on their dodgy attachment or link. A good pretext for these is likely to be claims that the recipient’s data is contained in the attachment or at the link.

Could the data from Ashley Madison’s servers be enough to takeover personal identities, in order to defraud members whose information has been exposed in the data dump?

The range of data that is believed to have been released could be used by identity thieves, most likely as validation to try to reset passwords or request replacement credit cards by amending personal data held by the card provider.

Could the data be used to target individuals or does it just have more generic use?

It depends what data appears in the dump. However, it is highly likely that there will be people who will take the time to go through the stolen data set to see if they can identify individuals they can target specifically for a spear phishing attack or to blackmail them.

Is everyone whose email address appears in the dump likely to be having an affair?

No...   the fact that an email address appears in the breached data being exposed does not necessarily mean that the owner of that email address was using the site to seek out an extra-marital affair. One reason for this is that many of the accounts included are thought to be fake, possibly just there to boost the numbers of members being claimed. The company requires users to register with an email address, but does not require email verification, so all may not be what it seems at first sight. Also, there are likely to have been many single people using the website to find partners for no strings attached relationships.

Of course, it will still be embarrassing – and potential damaging - for those who are named.

So what can you do if you are worried about your data being exposed in this or any other breach?

Use a site like https://haveibeenpwned.com/, which is currently showing 30,636,380 accounts hacked for the Ashley Madison breach alone. But remember, if you do find your partner’s email address there, it may not be as it seems.           

"The range of data that is believed to have been released could be used by identity thieves, most likely as validation to try to reset passwords or request replacement credit cards by amending personal data held by the card provider."

« BACK

« Back