Ashley Madison Hack Analysis
Figure A displays the public announcement by “The Impact Team” to Avid Life Media, the owners of Ashley Madison.
The Ashley Madison hacking by a group known as “The Impact Team” continues to swirl with controversy. With The Impact Team already leaking one Ontario man’s name and another man from Brockton, Mass., as reported by the Inquisitr, folks are growing more curious about the names or singular name behind the so-called Impact Team hacker or hackers themselves.
While Funny or Die is making jokes about the fallout from The Impact Team’s hacking, with a woman portraying Ashley Madison as an attractive, yet ditzy blonde, others who are fearing their spouses finding out their name on the list of the Impact Team’s leaked names aren’t laughing.
The most recent comments on a mega-thread about the Ashley Madison hacking on Reddit prove how some are reacting to the thought of their names being outed on a public list, and how that outing could affect the Impact Team hacker or hackers who performed the dirty deed. One Reddit user whose account is named amsux2015 posts a theory of what could happen to the Impact Team hacker if his or her identity were released after the widespread hacking was published online.
“We’re all focusing on ourselves but think of the hacker. He’s risking his life and the lives of his family with publishing this list if he even has it. If the hacker’s name is published after he outs 37mm people, he’s a dead man and so is his family. It’s not hard for a down-and-out guy to rationalize: ‘you took my family from me, I will take yours…’”
That same commentator put forth a profile of who he or she likely though the Impact Team hacker could be, at least in terms of age, marital status and the like.
“The hacker is likely a bachelor, but he must have a mother and father somewhere, maybe even a niece or nephew. Even if the hacker goes to jail after outting everyone, if he gets married and has kids 15 years from now, they’d still be at risk. Most of the 37 (million) users are likely nervous wussies, but I would bet more than a few would be capable of murder.”
Meanwhile, the Impact Team has had more of an impact than they may have believed, with articles such as Ashley Madison was just the beginning: my dad’s secret life of online infidelity from The Guardian? popping up in the wake of the Impact Team only exposing two names thus far to the general public.
Anonymous accounts of women who cheated on their husbands using Ashley Madison are also being published while the world waits to see if the leak will grow beyond the two names made public by the Impact Team — or the 2,500 names reportedly included in the Impact Team’s initial list. According to Reddit users Burthumplebanger, he or she has seen a list from the Impact Team with 20,000 emails and passwords purporting to be Ashley Madison users, but didn’t think the Impact Team provided actual user data in that hacked list of email names.
“I have seen the list you are referring to. I did not save it as it looked completely random s***. I have seen the password list, a list with about 20,000 emails and passwords that were mainly from the UK and FR which also looked like bull****. Trust me no one is going to fish around as much as I have. I have OCD and i don’t stop until I find things. There is nothing incriminating out there right now. I have spent 72 hours looking even on the dark web.”
Ashley Madison invites red-faced cheats to bolt stable door for free
Adulterous hook-up site Ashley Madison is allowing all members to fully delete their profiles without charge in the aftermath of a serious data breach that threatens the site’ future.
Previously, if users wanted to delete their records (profile, pictures and messages sent through the system) they were obliged to pay around $20, but that money-spinner has been dropped in the wake of a hack that placed Ashley Madison’s members in danger of exposure.
Hackers from an previously unknown group The Impact Team are threatening to leak this information unless parent firm Avid Life Media (ALM) permanently closes both Ashley Madison and site Established Men, as previously reported on El Reg.
ALM has resisted these demands and both sites remain operational despite threats by hackers to release highly-sensitive information information including “customers’ secret sexual fantasies and matching credit card transactions”.
ALM has confirmed the breach without specifying how much information was taken, or indeed commenting directly on the hackers’ claims, other than to deny accusations that the delete option failed to remove information related to a member’s profile and communications activity.
“Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed all the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online,” ALN said in a statement.
Ashley Madison specifically markets its services at married people looking for an affair. The Impact Team characterises members of Ashley Madison as “cheating dirtbags” who deserve no privacy, bragging that they are poised to release info on “many rich and powerful people” unless their demands are met.
Will Gragido, head of threat intelligence research at Digital Shadows, suspects the motive of the attacks might ultimately move towards ransoming off stolen information. Unlike a recent attack against Adult FriendFinder, another hookup website, very little data from the latest hack has surfaced online – suggesting that attackers are holding onto it for later criminal abuse, Gragido reasons.
“Details are still emerging, but the Ashley Madison breach seems typical of today’s more extortion and ransom-focused attacks,” Gragido explained. “Certain types of data and online behaviour are simply too attractive for blackmail purposes, and adversaries know the power of psychology and emotions when making demands like this.”
“Notably, this incident seems even more extortion-focused than the Adult Friend Finder (AFF) breach case, because stolen AFF data was evident in underground cybercrime forums relatively soon. We see comparatively little Ashley Madison data in circulation, suggesting the attackers want to hold as much as they can for ransom,” he added.
Gragido noted that demands by the hackers that Ashley Madison ought to be shut down is a potentially ominous evolution in hacker strategy.
“What is most striking about this incident is the attackers’ demand that the business of Ashley Madison itself shut down,” said Gragido.
“This is very ominous because it takes us down a slippery slope: What type of business will adversaries deem ‘objectionable’ next, and demand its closure, in addition to holding its customers hostage with their stolen, personal information?”
Speculation is rife that an insider or former employee may have facilitated the hack.
Luke Brown, vice president & GM EMEA at Digital Guardian, commented: “The breach is suspected to be an ‘inside job’ by someone involved with ALM’s technical services, highlighting the critical need for good cybersecurity capable of mitigating this type of insider threat.”
“As it stands, the breach will likely cause irreparable damage to Ashley Madison as a business,” he added.
Ashley Madison is simultaneously one of the most popular dating websites on the net, and the one its users are least likely to openly admit to using, for obvious reasons.
Tod Beardsley, security engineering manager at Rapid7, the firm behind Metasploit, commented: “Dating sites also host millions of intensely private scraps of user data. Users of these services may routinely share risqué photos, checklists of sexual preferences, and patterns of romantic activity that they consider deeply personal.”
“Because of this, any breach involving a dating site comes with a built-in ‘ickiness’ factor. Dating site users are likely to feel more violated after a breach than those caught up in a retail or government website breach, and they are less likely to reach out for help and advice on how to manage their identity information after a breach,” he added.
“For Ashley Madison users in particular, this tendency to suffer silently is all but guaranteed,” concluded Beardsley.
Other security experts tend to agree that ALM will have its work cut out to restore confidence in the site, a vital first step to security its long-term future.
“This hack may just kill Ashley Madison,” said Dr Chenxi Wang, cloud security and strategy veep at cloud security firm CipherCloud. “The hackers are demanding the company to shut down or face public release of the very personal details of all of its 37 million customers.”
“This puts AM between a rock and a hard place if it continues to operate. It’s unthinkable for any business, especially one that runs on discretion and trust, to betray its customers’ confidentiality,” she added.