Wednesday, August 26, 2015

The Ashley Madison breach is a gold mine for scammers

The Ashley Madison breach is a gold mine for scammers and extortionists, and some "search the data" sites are scams in their own right. The only breach search site I trust: Have I Been Pwned.

I've not said anything about the Ashley Madison breach since my initial thoughts on glass houses and collateral damage last month (which essentially boil down to not throwing stones in glass houses, and considering the collateral damage to the betrayed spouses and children before going on a witch hunt). There's one more aspect that I think appropriate to mention though.

Any newsworthy event is going to result in clever advertising, spam and phishing emails hoping to capitalize on the fact that something is in the news. The Ashley Madison breach is no different.

In this case though, the potential for embarrassment and the desire in some to hide an indiscretion have created an unique opportunity for scammers. Cyber crime investigator Brian Krebs writes of people receiving spam along the lines of "I know you cheated, and I have proof through the Ashley Madison data; give me money and I won't tell your wife."

There are also a rash of websites popping up offering a way to search and see if your name or personal information was found in AM. Many of these sites are just as quickly taken offline after legal threats from AM. Nevertheless several such sites have proven to be scams in their own right, collecting the information of those searching, to use for future nefarious purposes.

I have two pieces of advice here.

  1. There is one, and only one, public site on the Internet that I trust when it comes to finding out if my information is included in a data breach. This applies to any data breach - not just the Ashley Madison event. Australian security professional Troy Hunt has built a fantastic service called "Have I Been Pwned" in which he has documented email addresses from many, many breaches. He keeps the service free, supporting it through donations.

    This site is unique in that not only does it let you know that your email was included in a data breach, but it explains what it means. Did the hackers steal financial information? Did they get your password to break into your account? Or did they just steal email addresses to send spam? Below is an example of the information provided on this site (in my case, it was a breach at software publisher Adobe in 2013).

    Just keep in mind that Troy can only fill the Have I Been Pwned database with information that was publicly dumped or that he has been able to privately obtain. In many cases (such as the Anthem and Office of Personnel Management breaches), the criminals that stole data are keeping it to themselves.

  2. The fact that a person's information exists in the AM dump is not necessarily an indictment. Troy writes of many, many people that have emailed him their stories. In some cases it was a now-married person that joined AM long before meeting their spouse, perhaps treating it as a dating site. In other cases it was a suspicious wife (or divorce attorney) signing up for the sole purpose of checking up on a husband suspected of cheating. In still other cases, the information is purely fraudulent: AM takes no steps to verify the identity of a subscriber, so it is quite easy to sign up using someone else's name and email address.
HaveIBeenPwned.com shows if your email was included in a data breach

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.