Wednesday, August 26, 2015

The Ashley Madison breach is a gold mine for scammers

The Ashley Madison breach is a gold mine for scammers and extortionists, and some "search the data" sites are scams in their own right. The only breach search site I trust: Have I Been Pwned.

I've not said anything about the Ashley Madison breach since my initial thoughts on glass houses and collateral damage last month (which essentially boil down to not throwing stones in glass houses, and considering the collateral damage to the betrayed spouses and children before going on a witch hunt). There's one more aspect that I think appropriate to mention though.

Any newsworthy event is going to result in clever advertising, spam and phishing emails hoping to capitalize on the fact that something is in the news. The Ashley Madison breach is no different.

In this case though, the potential for embarrassment and the desire in some to hide an indiscretion have created an unique opportunity for scammers. Cyber crime investigator Brian Krebs writes of people receiving spam along the lines of "I know you cheated, and I have proof through the Ashley Madison data; give me money and I won't tell your wife."

There are also a rash of websites popping up offering a way to search and see if your name or personal information was found in AM. Many of these sites are just as quickly taken offline after legal threats from AM. Nevertheless several such sites have proven to be scams in their own right, collecting the information of those searching, to use for future nefarious purposes.

I have two pieces of advice here.

  1. There is one, and only one, public site on the Internet that I trust when it comes to finding out if my information is included in a data breach. This applies to any data breach - not just the Ashley Madison event. Australian security professional Troy Hunt has built a fantastic service called "Have I Been Pwned" in which he has documented email addresses from many, many breaches. He keeps the service free, supporting it through donations.

    This site is unique in that not only does it let you know that your email was included in a data breach, but it explains what it means. Did the hackers steal financial information? Did they get your password to break into your account? Or did they just steal email addresses to send spam? Below is an example of the information provided on this site (in my case, it was a breach at software publisher Adobe in 2013).

    Just keep in mind that Troy can only fill the Have I Been Pwned database with information that was publicly dumped or that he has been able to privately obtain. In many cases (such as the Anthem and Office of Personnel Management breaches), the criminals that stole data are keeping it to themselves.

  2. The fact that a person's information exists in the AM dump is not necessarily an indictment. Troy writes of many, many people that have emailed him their stories. In some cases it was a now-married person that joined AM long before meeting their spouse, perhaps treating it as a dating site. In other cases it was a suspicious wife (or divorce attorney) signing up for the sole purpose of checking up on a husband suspected of cheating. In still other cases, the information is purely fraudulent: AM takes no steps to verify the identity of a subscriber, so it is quite easy to sign up using someone else's name and email address.
HaveIBeenPwned.com shows if your email was included in a data breach

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen