After a rough month of cyber investigations and nervous waiting, earlier this week, the mysterious hacker coalition named Impact Team, responsible for publicly breaching Ashley Madison’s database, reportedly dumped 10GB worth of sensitive client and company data for download on the Internet, Wired reports.
On Thursday, Motherboard reported that Impact Team had followed up with a second dump that is twice the size of the first. Some of those files contain the emails, profile information, and credit-card information (last four digits) of users registered with Ashley Madison. Users typically configured their online profiles to also include information related to their sexual fantasies.
Ashley Madison, the infamous matchmaker website designed to connected millions of users looking for extramarital affairs, has yet to comment on the dump after acknowledging the original breach on July 19. But perhaps this tactic is for good reason: authenticating the files hitting the Web is an inherently difficult process.
“The posts are likely full of malware … that could steal data or gain access to a user’s credentials.”
“AM did not verify email addresses or physical addresses, so many of them could be fake. One AM user registered under former Prime Minster’s of the United Kingdom, Tony Blair. It could have been anyone using that email address,” Aamir Lakhani, senior cybersecurity researcher at Fortinet, told DC Inno.
The file dumps are motivating casual Web surfers to search for the files on less than reputable corners of the Internet. And that task comes at a risk.
“As irresistible as it may seem, the Ashley Madison data is an almost picture perfect cybercrime waiting to happen. Besides the lurid details, the posts are likely full of malware, including keyloggers and frame grabbers, that could steal data or gain access to a user’s credentials. Credential theft is one of the biggest contributors to a data breach,” David Thompson, senior product manager at LightCyber, told DC Inno.
Since the hack occurred, and the salacious story caught the nation’s attention via social media and television, scammers have been posting fake customer records on the “Dark Web” for download. These files have contained everything from malicious content to spyware and viruses. While the latest news of the 2nd data dump reaches audiences, a third could be on the way.
“Undoubtedly, many of the emails and domains now published to the Dark Web are fake,” Jason Polancich, a 20-year NSA veteran and the founder of cybersecurity startup SurfWatch Labs, told DC Inno.
Meanwhile, a new brigade of fake files, with irrelevant information, are being created, downloaded and circulated to take advantage of misguided journalists, concerned former-Ashley Madison users and others. Files under the name “Leaked Ashley Madison customer files” on imgur.com, Reddit’s 4Chan, Pastebin.com, and over torrents/TOR-based URLs are becoming increasingly common.
It’s far from the first time that someone has used the publicity of a hack to attract Internet users and infect their computers with damaging content.
An updated report from prominent cybersecurity blogger Brian Krebs in addition to the Wired article, however, suggests that some of the files from the latest dump are, in fact, legitimate.
“I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database,” Krebs wrote.
“Undoubtedly, many of the emails and domains now published to the Dark Web are fake.”
Importantly, even while some files may be legitimate—meaning they contain accurate user information tied to actual customers—it does not dismiss the predatory cat-and-mouse game thats occurring between scammers and curious browsers. The chaotic rush of fake client files being posted as torrent downloads (over the last 30-days) also reveals, at least to some extent, the opportunistic bait-and-switch ecosystem at play with scandalous file dumps.
If you were to read between the lines, then you may also see that a majority of news outlets who have reported on the latest Ashley Madison hack are not linking back to the actual destination of said dump. And rightfully so, since it’s doubtful they can differentiate between many of the fake and real files.
Before Tuesday, Raja Bhatia, Ashley Madison’s former chief technology officer, told Brian Krebs that “he had teamed up with an international team of roughly a dozen investigators working seven days a week, 24-hours a day just to keep up with all of the fake data dumps.”
“On a daily basis, we’re seeing 30 to 80 different claimed dumps come online, and most of these dumps are entirely fake and being used by other organizations to capture the attention that’s been built up through this release … the overwhelming amount of data released in the last three weeks is fake data,” Bhatia told Krebs.