Krebs on Security verified today that extortion attempts are being sent to persons who have been identified in dumped databases of this week’s leak of Ashley Madison user data. Unlike the speculative extortion risks discussed when the theft of the data first occurred, these latestest attempts have been verified as real. If you were an Ashley Madison user in July 15, 2015 when the database theft occurred, there is a good possibility that you are in the leaked database.
The risk of becoming a victim of extortion or other cybercrime has just become exponentially greater. A bulk email search service just became available, which claims to scan an entire inbox to report matches with Ashley Madison database users.
Krebs reports that an Internet service provider (ISP) is scanning and blocking incoming emails for spam containing extortion attempts. The letter, illustrated below, demands payment of approx. $225 in bitcoin, with a deadline of seven days.
Tom Kellerman, chief cybersecurity officer at Trend Micro, predicted in his interview with Krebs, that there “is going to be a dramatic crime wave of these types of virtual shakedowns.” Other types of cybercrime will be in the offing, he predicted, including installation of ransomware on victims’ systems.
Do they deserve it?
Blackmailers will blackmail, and instances of actual and planned attempts will begin to proliferate. Yesterday on Reddit a user posted that he wanted to “expose” a prominent politician in order to compel him to resign.
Continued from page 1
Another Reddit user also asks for advice whether it is wrong to expose persons whose information was leaked in Ashley Madison dump.
For every person asking about the legality or morality of extortion, on Reddit and countless other public forums, there are undoubtedly hundreds more who won’t bother to ask. They already know it is illegal and will do it anyway.
Extortion and privacy breach risks increase exponentially
Public websites abound into which you can enter email addresses to verify if they are contained in the Ashley Madison user data dump. Until today, they all appeared to require that email addresses be entered individually. That is a rather cumbersome process.
Today a new Ashley Madison email check service appeared on the scene. This new service will scan your entire Gmail inbox and report which of those mails were found in the Ashley Madison data dump. Most criminals who may be inclined to use the leaked database to commit extortion and other cybercrime probably have their own private bulk email checkers. However, this new facility opens a much broader public risk. It is inevitable that other such services, for bulk Gmail and other checks will be available soon.
What listservs have your email? Do you trust all of them? They can, in one action, check the entire listserv for matches.
Searching for individual emails is an obvious violation of privacy. Searching for batches of emails, even more so. The very exposure of the data in your possession to these unknown sites increases the risks to the individuals whose emails you expose to these sites.
Continued from page 2
You don’t know who is running these email check sites. They could be extortionists padding their coffers with new (not in the Ashley Madison database) potential victims of cybercrime. I sent an email to the individual running the bulk email check site, informing him I was researching the privacy implications. I received no answer, in the five hours that elapsed between sending the inquiry and preparing this article. This individual states that he will not use the information entered for illegitimate purposes. I was unable to confirm that.
Recommended by Forbes
I have not disclosed the site here, for the obvious reason of protecting against potential proliferation of privacy breaches and extortion and other cybercrime. But the public cannot rely on the impediment to misuse of the Ashley Madison data that the cumbersome individual check sites require.
The important caveat remains if you find a specific user in any of these check services: the Ashley Madison service did not require or verify that emails used to register for the service belonged to a person or if it did, whether you are that person or authorized by him/her. However the database dump included sufficient secondary information (such as GPS location) to potentially increase the chances of accuracy of of a report of a match between user queried and Ashley Madison membership.