AshleyMadison Hack Demonstrates Power of Scam Artists

By on Aug 26, 2015

This blog post was written by Armando Rodriguez.

Last month, cybersecurity journalist Brian Krebs broke the news that adult site AshleyMadison.com was hacked. This breach risked the exposure of 32 million users’ personal information, including email addresses, physical addresses, and credit card information. It comes as no surprise that this news made headlines immediately and the resulting aftermath has kept it in the news almost every day since then.

Spammers have a history of using current events to their advantage and the Ashley Madison scandal is ripe for such exploitation. Based on our tracking of spam emails designed to exploit its customers, McAfee Messaging Security Team has put together a list of samples seen in the wild.

Sample email subjects:

  • Ashley Madison hacked, is your spouse cheating?
  • Ashley Madison records leak
  • Hacked: Emails by Ashley Madison
  • How to Check if You Were Exposed in Ashley Madison Hack
  • How to search the Ashley Madison leak

Sample “From” addresses, mostly spoofing news outlets to dupe readers into believing the sources are legitimate:

  • “Ashley Madison Alert” <info@baizetwit.com>
  • “CNN News” <info@baizetwit.com>
  • “CBS News” <info@baizetwit.com>
  • “Fox News” <info@baizetwit.com>

Upon opening the spam, a user sees this:

20150825 Ashley 1.jpg

 

The link embedded in the samples follow this pattern:

hxxp://mx7c68.baizetwit.com/random_string/random_string/random_string

The URL redirects to the following link, which appears to deny connections from security vendor IP space:

20150825 Ashley 2.jpg

By using a free web proxy, we can follow the campaign through to the next layer of redirection:

20150825 Ashley 3.jpg

The preceding .html document contains an HTTP refresh to accomplish the final layer of redirection, ultimately leading to a “gaming wonderland” toolbar download:

20150825 Ashley 4.jpg

At this point, when the user installs the toolbar, the spammer monetizes his or her efforts through an affiliate program:

20150825 Ashley 5.jpg

We also identified a second spam campaign leveraging a more direct approach to monetizing the stolen data. In this case, spammers have created several look-alike domains to increase the perception of legitimacy. WHOIS lookups confirm that either the domains do not exist or were created on or after August 23.

Here are a few observed sending addresses:

  • bounce@ashleymadisondata.co.uk
  • bounce@ashleymadisondata.info
  • bounce@ashleymadisonnews.net
  • bounce@ashleymadisonteam.com

Sample subjects associated with this campaign:

  • Your Ashley Madison Account
  • Your Ashley Madison Profile
  • Ashley Madison

With this variant, there is no convoluted trail of web links to monetize the topic matter. Instead, we see a clear attempt at extortion, threatening to notify friends and family of the Ashley Madison account holder unless funds are paid into a Bitcoin account. Here is the text contained within the email:

Your data was leaked in the recent leaking of Ashley Madison and I now have your information. I have also used your info to find your Facebook page, using this I now have a direct line to contact all your friends and family.

If you would like to stop me from sharing this dirt with all of your known friends and family (and perhaps even your employers too?) then you need to send exactly 1.05 bitcoins to the following BTC address.

Bitcoin Address:
112ZTAjYSBqgppj1HB5ewFsHp4ZXXXXXXXX

You may be wondering why should you and what will prevent other people from doing the same, in short you now know to change your privacy settings on Facebook so no one can view your friends/family list. So go ahead and
update that now (I have a copy if you don’t pay) to stop any future e-mails like this.

You can buy Bitcoin’s using online exchanges easily. If the Bitcoin is not paid within 3 days of 23 – August – 2015 then my system will automatically message all your friends and family. The bitcoin address is unique to YOU.

Consider how expensive a divorce lawyer is. If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends. What will your friends and family think about you?

Sincerely,
Duran

With both campaigns, no evidence was found indicating  recipients were targeted by leaked data, so the risk is not limited to Ashley Madison clientele. Our research indicates that even the idly curious are at risk. Spammers have a history of using current events to motivate victims to divulge personal information they shouldn’t, visit a risky website, and even unwittingly install a virus. Just as scam artists have taken advantage of natural disasters to dupe people into giving money to them, scammers are taking advantage of this social turmoil as well.

McAfee customers are protected from these threats. Anyone who sees one of these campaigns in his or her inbox should submit the email to the IT help desk for analysis and delete the message before curiosity wins out over suspicion.

About the Author

McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. Take a look at our latest blogs.

Read more posts from McAfee

  1. The redirect Spam is kinda lame, but the second one… it's both horrifying and genius. With 35 millions of leaked emails – the chance to hit a real user is pretty good, and this is if they didn't got the e-mails from the link (in which case they could target them 100%). I believe many were gotten by this one, as a cheater is usually with guilty consciousness.

Subscribe to McAfee Securing Tomorrow Blogs