This blog post was written by Armando Rodriguez.
Last month, cybersecurity journalist Brian Krebs broke the news that adult site AshleyMadison.com was hacked. This breach risked the exposure of 32 million users’ personal information, including email addresses, physical addresses, and credit card information. It comes as no surprise that this news made headlines immediately and the resulting aftermath has kept it in the news almost every day since then.
Spammers have a history of using current events to their advantage and the Ashley Madison scandal is ripe for such exploitation. Based on our tracking of spam emails designed to exploit its customers, McAfee Messaging Security Team has put together a list of samples seen in the wild.
Sample email subjects:
- Ashley Madison hacked, is your spouse cheating?
- Ashley Madison records leak
- Hacked: Emails by Ashley Madison
- How to Check if You Were Exposed in Ashley Madison Hack
- How to search the Ashley Madison leak
Sample “From” addresses, mostly spoofing news outlets to dupe readers into believing the sources are legitimate:
- “Ashley Madison Alert” <info@baizetwit.com>
- “CNN News” <info@baizetwit.com>
- “CBS News” <info@baizetwit.com>
- “Fox News” <info@baizetwit.com>
Upon opening the spam, a user sees this:
The link embedded in the samples follow this pattern:
hxxp://mx7c68.baizetwit.com/random_string/random_string/random_string
The URL redirects to the following link, which appears to deny connections from security vendor IP space:
By using a free web proxy, we can follow the campaign through to the next layer of redirection:
The preceding .html document contains an HTTP refresh to accomplish the final layer of redirection, ultimately leading to a “gaming wonderland” toolbar download:
At this point, when the user installs the toolbar, the spammer monetizes his or her efforts through an affiliate program:
We also identified a second spam campaign leveraging a more direct approach to monetizing the stolen data. In this case, spammers have created several look-alike domains to increase the perception of legitimacy. WHOIS lookups confirm that either the domains do not exist or were created on or after August 23.
Here are a few observed sending addresses:
- bounce@ashleymadisondata.co.uk
- bounce@ashleymadisondata.info
- bounce@ashleymadisonnews.net
- bounce@ashleymadisonteam.com
Sample subjects associated with this campaign:
- Your Ashley Madison Account
- Your Ashley Madison Profile
- Ashley Madison
With this variant, there is no convoluted trail of web links to monetize the topic matter. Instead, we see a clear attempt at extortion, threatening to notify friends and family of the Ashley Madison account holder unless funds are paid into a Bitcoin account. Here is the text contained within the email:
Your data was leaked in the recent leaking of Ashley Madison and I now have your information. I have also used your info to find your Facebook page, using this I now have a direct line to contact all your friends and family.
If you would like to stop me from sharing this dirt with all of your known friends and family (and perhaps even your employers too?) then you need to send exactly 1.05 bitcoins to the following BTC address.
Bitcoin Address:
112ZTAjYSBqgppj1HB5ewFsHp4ZXXXXXXXX
You may be wondering why should you and what will prevent other people from doing the same, in short you now know to change your privacy settings on Facebook so no one can view your friends/family list. So go ahead and
update that now (I have a copy if you don’t pay) to stop any future e-mails like this.
You can buy Bitcoin’s using online exchanges easily. If the Bitcoin is not paid within 3 days of 23 – August – 2015 then my system will automatically message all your friends and family. The bitcoin address is unique to YOU.
Consider how expensive a divorce lawyer is. If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends. What will your friends and family think about you?
Sincerely,
Duran
With both campaigns, no evidence was found indicating recipients were targeted by leaked data, so the risk is not limited to Ashley Madison clientele. Our research indicates that even the idly curious are at risk. Spammers have a history of using current events to motivate victims to divulge personal information they shouldn’t, visit a risky website, and even unwittingly install a virus. Just as scam artists have taken advantage of natural disasters to dupe people into giving money to them, scammers are taking advantage of this social turmoil as well.
McAfee customers are protected from these threats. Anyone who sees one of these campaigns in his or her inbox should submit the email to the IT help desk for analysis and delete the message before curiosity wins out over suspicion.