Ashley Madison still a top lure for scammers and crooks

The Ashley Madison breach is an early Christmas for spammers and scammers

The Ashley Madison breach has been a Christmas-in-August present for spammers and scammers of all kinds, and your company could be the next target.

Here are some scams to watch out for.


There is a significant amount of spam related to the Ashley Madison attack.

According to Trend Micro, the most recent Ashley Madison-related phishing campaign offers a link to the "Ashley Madison Client List" but instead infects the user's computer with banking malware, or locks up files until the user pays one Bitcoin, or approximately $235.

"Companies should block all Ashley Madison related emails at the email gateway and use URL filtering for all inbound emails for those bulletproof hosts which are disseminating this crimewave," said Tom Kellermann, chief cybersecurity officer at Irving, Tex.-based Trend Micro Inc.

"The Ashley Madison episode provides such good phishing bait that the emails are going to be almost irresistible," said David Gibson, VP of Marketing at New York-based Varonis Systems, Inc. "It is a foregone conclusion that people will be seduced into opening these emails and clicking on links claiming to be about Ashley Madison victims."

Companies should step up protections of user accounts, workstations, and sensitive data stores, he said.

KnowBe4 recently sent out a simulated Ashley Madison phishing email -- and got a 4.2 percent average click rate.

"Anyone will be tempted to find out if their spouse is on the Ashley Madison list," said Stu Sjouwerman, CEO at Clearwater, FL-based KnowBe4. "Employees need to be taught that their business email address is property of the company and they cannot use it for private endeavors."


The Ashley Madison hack doesn't just potentially expose user email addresses, but other personal information as well, Criminals can use this data, often in combination with other data sources, to create highly detailed profiles of your employees.

Then they can launch spearphishing campaigns -- very targeted attacks that use this personal information to trick employees into believing that the emails are legitimate. Spearphishing emails can also be combined with phone calls, snail mail, or other types of communications for extra credibility.

Spearphished employees can be manipulated into letting hackers into corporate networks, divulging proprietary data, or even sending large amounts of money to the crooks.


You've probably already checked to see whether whether any of your company's senior executives are in the Ashley Madison data dumps. You'd have to, to protect your company -- not out of any personal curiosity at all. Obviously.

But has everything come out that is going to come out?

"What’s more worrying is what they are not releasing and instead using as blackmail," said George Anderson, director of product marketing at Broomfield, CO-based Webroot Inc.

After all, criminals can't threaten to release data that's already been released.

So don't wait until you see senior executives start avoiding eye contact and collecting quantities of unmarked bills. Have a plan in place for what your company will do if an executive is targeted for extortion.

"This information is very useful for making people with high levels of authority be coerced into doing things they wouldn't normally do," said Casey Ellis, CEO at San Francisco-based Bugcrowd.

In fact, an executive doesn't even have to be a user of Ashley Madison to be a potential target.

"They only need to be convinced that others might believe they are," Ellis said. "Attackers are crafty like that."

Ellis recommends not only having a plan in place but discussing it ahead of time with the executive team.

And if there's a scandal brewing?

"My best piece of advice is to get ahead of the story," he said.

Even employees who used an alias for Ashley Madison might still be at risk if criminals are able to figure out who the account really belongs go, said Itay Glick, CEO at Sunnyvale, Calif.-based Votiro Inc.

Signing up for any shady site carries risks, experts say.

"In the case of Ashley Madison, members who fared the best resorted to one-off e-mail addresses that weren’t associated with their other contact information, and paid with untraceable pre-paid debit cards," said Nikki Parker, VP of Growth and Strategy at Sydney, Australia-based Covata Ltd.

Quick-fix scams

You'd think that everyone already knows that if something is online, it's there for ever.

But "reputation repair" scammers are finding victims willing to pay money to have their names removed from the Ashley Madison lists, said Will Gragido, head of U.S. threat intelligence research at London-based Digital Shadows Ltd.

It's a scam because it's impossible to erase these names, he said.

"The breached data appeared in a number of locations and was shared and downloaded by many individuals and organizations for both noble and illicit purposes," he said.


But not all attackers are after money. Some just want to see you suffer.

"We’re seeing a new wave of ‘hacktivism’ where cyber criminals are trying to inflict brand and reputation damage, or promote social change," said Kevin Cunningham, president and founder at Austin-based SailPoint Technologies, Inc.

"Hacktivists" can expose the reputations of company employees to criticism.

And companies can suffer brand and financial damage, he added. "The embarrassment and notoriety for the enterprise are long term."

Stolen passwords

Okay, this one isn't actually a scam -- more a case of someone walking along, seeing your keys right there next to your car, and driving off with your vehicle.

If your employees used their work email addresses to log into Ashley Madison, and reused their work passwords, then you've got a problem.

"Based on reports, it appears that there are thousands of users who signed up using their company email address," said Jason Hart, vice president and CTO for data protection at Amsterdam-based Gemalto.

He hopes that these companies are using multi-factor authentication.

"I hate to kick the Ashley Madison users while they’re down, but it seems that the people who might have fallen for the Ashley Madison offer might also be the types who would use the same password on every site they signed into—including work," said Tom Pendergast, chief strategist for security, privacy and compliance at Bothell, Wash.-based MediaPro Holdings, LLC, a security awareness training company.

Enterprises that don't have multi-factor in place, or are only starting to roll it out, need to take other steps.

"Companies that find employee email addresses within this trove of information would be wise to require new passwords across all company services," said Adam McNeil, malware intelligence analyst at San Jose, Calif.-based Malwarebytes Corp.

In addition, companies need to have training programs in place so that employees know not to reuse their work email accounts or passwords on other sites.

"An alarming majority of employees don't understand the security risks of their behavior," said Darren Guccione, CEO and Co-founder at Chicago-based Keeper Security, Inc.

Training programs should also include mock phishing campaigns, he added. "This is a true test of an employee's ability to spot a suspicious email," he said.

Join the CSO newsletter!

Error: Please check your email address.

More about GemaltoInc.MalwarebytesTrend MicroVaronisWebroot

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place