Blog

We recently uncovered messages that target Ashley Madison account holders directly. The sender is attempting to extort/blackmail the individual named in the message to the tune of about $450(USD). The messages state that the sender will mail a letter outlining their activity on the Ashley Madison website to the individual’s home address unless they make a one-time payment to the attacker in the amount of 2 Bitcoins. The threats are backed up with what appears to be data stolen in the breach which include home address, last 4 digits of credit card data and transaction logs. The messages are signed “Impact Team” the same group responsible for the breach itself, though it would be impossible to substantiate that claim.
All indications are that the data used in the messages is in fact the real data stolen back in July of this year. We have been anticipating seeing these highly targeted attacks leveraged against the Ashley Madison users who had their data stolen in this breach. These messages might prove highly effective should they make it to the user’s inbox. I would be very surprised if the attacker would actually follow through on their threat, given that, mailing a letter would only leave a paper trail and would not benefit the attacker financially. We have seen malware posing as the Ashley Madison users list on the web already and expect this trend to continue. In addition, we expect to see other email variations aimed at the users list and messages targeting curious onlookers as well.