Dear Ashley Madison user, I know everything about you. Pay up or else

ashleymadison.com

Four years after hackers dumped the intimate details of 32 million Ashley Madison subscribers, criminals have revived an extortion scheme that targets people who used the dating website to cheat on their partners.

In the past two weeks, researchers have detected “several hundred” emails that threaten to air those intimate details to the world unless the former subscribers pay a hefty fee.

“I know everything about you,” one of the emails, dated January 15, says. “I even know that you ordered some … let’s call them ‘male assistance products’ online on 12/11/2018 using your account at Bank of America N,a routing# 121000358 account# [redacted] for $75 for mailing to [redacted] CA [redacted]!” The extortionist goes on to say: “If you do not act very fast your full AMadison profile and proof of it will be shared with friends, family, and online over social media—and of course your internet orders.”

Here are three of the emails, along with a PDF that was attached to one of them.

The new run underscores the permanence of data published in the Internet age and the damage that comes when that data includes personal information. As observed in a post published on Friday by Vade Security, a service that helps detect spam and malicious email:

This Ashley Madison extortion scam is a good example that a data breach is never one and done. In addition to being sold on the dark web, leaked data is almost always used to launch additional email-based attacks, including phishing and scams such as this one. Seeing that there were more than 5,183 data breaches reported in the first nine months of 2019, exposing 7.9 billion records, we expect to see a lot more of this technique in 2020.

To bypass spam and malicious email filters, the extortion demand provides a passcode for a password-protected PDF attachment that specifies the price—a little more than $900 in bitcoin—along with a wallet address. The PDF also recites a litany of other details contained in the user’s Ashley Madison profile including:

  • date of birth
  • sign-up date
  • user name
  • security answer
  • dates that specific private messages were sent

Vade Security researchers detected the email campaign a few weeks ago, according to Adrien Gendre, chief product officer at the company. In an email to Ars, he said researchers believe these extortion emails were part of a trial run and that a larger wave is likely to follow.

The emails revive an extortion campaign that started within days of the data going public. Around the same time, there were reports of two Ashley Madison members dying by suicide after their data was included in the dump.

The emails targeting Ashley Madison users are part of a broader wave of so-called sextortion demands that threaten to air embarrassing secrets unless recipients pay a ransom. In more recent cases, the emails include a password taken in an unrelated website breach that contained the recipient’s personal information. The password is designed to add credibility to the claim that the recipient’s security has been compromised.

The first indication of the Ashley Madison hack came in July 2015 when site employees turned on their computers and heard them blaring the AC/DC song Thunderstruck. A message displayed on employees’ screens informed them of the hack and threatened to release email addresses, credit-card data, and other subscriber information unless executives immediately and permanently took down the Ashley Madison website.

A week later, after Ashley Madison failed to comply, people identifying themselves as members of a group calling itself Impact Team released details for two Ashley Madison members. The full outing—including, among other things, years’ worth of credit card details, members’ names, addresses, sexual proclivities, and direct messages—occurred a month later.

Despite the damage done to millions of users and years of unfavorable news coverage that resulted, Ashley Madison continues to operate and even thrive by some accounts. According to a 2018 report from auditors Ernst & Young, there were 472,752 new Ashley Madison accounts registered monthly that year. A report published a year later said new registrations for 2018 totaled 5.3 million, and on average there were 442,449 new Ashley Madison accounts registered each month. In this post, Ashley Madison claims to have 60 million members. The site’s tagline continues to be “Life is short. Have an affair.”