Ashley Madison hack linked to suicide, spam, and public outrage towards members

The Ashley Madison hack remains in the news as the stop source for gossip, outrage, spam, and marketing

Last Tuesday, Impact Team, the group that claimed responsibility for the hack of Avid Life Media (ALM) in July, released the first of three different archives containing ALM data, including customer records, financial records, internal documents and records, source code, and the CEO's email spool.

ALM is the company behind the adult playgrounds of Ashley Madison, Cougar Life, and Established Men.

In July, Impact Team said the company profits on the pain of others, and warned that if Ashley Madison and Established Men were not taken offline, they would release the compromised records to the public. They made good on their promise, and the last seven days have been chaos.

A public hunt for high-profile people:

Jeff Ashton, the prosecutor during the Casey Anthony trial, admitted that he had an account on the affair website last week, and issued an apology to his wife and kids. He said he was curious and registered for a paid account to see how the site worked, but denied actually having an affair.

Josh Duggar, a reality TV star that was already in hot water over molestation charges from his teenage years, was also discovered among the ALM client lists. Duggar had paid for an "affair guarantee" on Ashley Madison. Once the story spread, he issued an apology that stated in part that he was the "biggest hypocrite ever." Duggar was known for promoting faith and family values.

Hamza Tzortzis, a well-known British Islamist preacher, was also found in the ALM client lists, but denied that he ever used the service. His claims have led some to speculate that he was one of several people who were found in the ALM client roster, but who were likely registered by other people.

Ashley Madison only verified paid subscriptions, but anyone was able to register on the website with whatever information they provided. However, critics pointed out that Tzortzis' financial details were also in the leak, calling his public response on the matter into question.

An interesting aside in all of this mess, more of a personal observation really, is that on one hand, there are privacy advocates promoting the hunt for high-profile individuals – while seemingly ignoring the fact that 37 million people had their privacy violated last week. Does the right to privacy go away if someone cheats on their spouse?

A brief statement:

In a statement, Ashley Madison said that the complete wreaking of the company by Impact Team isn't an "act of hacktivism, it is an act of criminality."

"It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society."

The company has since stopped claiming that the data released by Impact Team was false, or otherwise forged.

Spammers hijacking Ashley Madison suicide discussions on social media:

Over the weekend, spammers started hijacking conversations on social media by promoting a number of bogus links. Some of them lead to questionable destinations.

While a malware attack hasn't been confirmed, many of the links tested by Salted Hash routed through several locations before landing on the final page, an affiliate link used to promote books on Amazon. The books themselves are guides and self-help publications geared towards online anonymity. There were also keyword-based items using "Ashley Madison" and offers for romance novels.

On Twitter, many of the profiles promoting the questionable links appear to be bots that are triggered by the phrase "Ashley Madison Suicide" and are using the dlvr.it URL shortening service. Some are recycling the links through Tumblr as well.

The topic is centered on reports that emerged late last week. The story is that a San Antonio city employee took their own life after their data was discovered in the Ashley Madison client list. However, this story hasn't been fully confirmed.

The facts are that three San Antonio email addresses were found among the 37 million profiles leaked, and a city worker in San Antonio committed suicide last week. The city hasn't commented on any connection, assuming one exists.

However, if you know your data is in the Ashley Madison archives and you feel suicidal, take a moment and talk to someone. The National Suicide Prevention Lifeline (800-273-8255) is staffed 24-7. There's also a website: http://www.suicidepreventionlifeline.org/

Investigation firm uses Ashley Madison fears to drum up business:

Trustify, a company that connects people to private investigators, is using the Ashley Madison incident as a marketing tool.

Late last week on Reddit, a user posted an email from the company, which informed them that they, or someone they know, "recently used our search tool to see if your email address was compromised in the Ashley Madison leak, and we confirmed that your details were exposed."

"There are ways to hide the exposed details, but first you need to see what information can be found across the web. Talk with our experienced investigative consultants to learn how you can find out what incriminating information is available and could ruin your life," the email continued.

Online, after using the Trustify search tool, users will also see the following:

"Because you’ve been exposed, you need to know exactly what kind of information is out there. This kind of information can affect your job, love life, mortgages, and anything else where a background check is required. However, to truly understand the extent of how much damaging information is accessible about you online, you need an expert who knows where to look and has access to special databases unavailable to the general public."

Users on Reddit and those commenting in other places, state that the company is promoting ambulance-chasing FUD, but it isn't clear if there have been any sales as a direct result of the search to marketing program.

The company posted a blog in an attempt to explain what they've done, but despite their excuses, it was made clear that "business is booming."

They also attempted to distance themselves from the ambulance-chasing argument:

"Before the Ashley Madison data was published on August 18, we were receiving a lot of requests in cheating investigations about it. People wanted to know if their spouse had an account, and was using the site to cheat. We weren’t able to answer that question for our customers before. We owe it to our customers to make the data available to them, if they ask."

Ashley Madison hackers admit to using valid processor credentials to obtain credit card data:

During an email exchange with Motherboard, Impact Team made an interesting admission concerning the financial data from ALM that was leaked to the public:

"They said they don't store CC [credit card information]. Sure, they don't store email either; they just log in every day to server and read. They had password to CC processor. We dumped from CC processor... They have payment processors. The payment processors store most of the credit card number and billing address. Like how Gmail stores their email. They can log in and look up transactions."

The first question that comes to mind is the name of the credit card processor. Who was compromised, and did the ALM account used expose other records or accounts due to a vulnerability of some kind on the processor's back-end?

Is there a PCI issue? Vinny Troia, Director of security and risk consulting for McGladery, said that if Impact Team got the card data out of the card processor, the situation would then fall under one of the grey areas of PCI.

"Whose responsibility was it?" he questioned.

"PCI requires that someone review all access to card data at least daily. So if someone pulled a report that had every user's card number in it, someone [at ALM] should have gotten an alert that it happened," Troia explained.

"The grey part would be if it was the [ALM] employee's responsibility to review that report and respond, or was it the card processors responsibility? Truthfully it is a bit of both, but I am sure that the card processor will be able to say they have no knowledge of [ALM’s] business practices, and wouldn’t know which reports were standard course of business and which were suspicious, so that will likely land on [ALM]."

A self-assessment form completed by ALM’s vice president and general counsel, Avi Weisman, noted that compliance issues were a concern of his. The assessment document was leaked by Impact Team last week.

In the form, when asked to describe what areas where failure to perform would hurt the most, Weisman said:

"Voids in understanding compliance and regulatory legal requirements in countries we operate in or are going to operate in. Anytime we have an issue with a regulator/government/legal or administrative body takes time, lobbying, resources, expertise, cost, etc..."

The follow-up question spoke to areas where he'd hate to see something go wrong, to which Weisman listed service availability issues, such as hacking or operational issues, as a concern, but also singled out "legal mishaps where we need to involve regulators, law enforcement, etc..."

Weisman also listed ongoing litigation as a concern, in the event he was removed from the world with no access to the company for three months. His concern in justified, as ALM is facing a $578 million class-action lawsuit due to the data breach.

Join the CSO newsletter!

Error: Please check your email address.

More about AvidCougarTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place