Possible Ashley Madison extortion campaign identified
A cyber-security company says it may have spotted a round of extortions on Ashley Madison customers from a notorious hacking group
It was expected that Ashley Madison customers might be being extorted following the site's data breach, and this is indeed now happening according to cyber-security company, Digital Shadows.
The company picked up on the extortions when a WordPress user, ‘ernieman' posted that he had been threatened by an individual claiming to represent sharingservices [@] aol.com. Upon further inspection, similar email addresses had been reported several times by users who also claimed that they were being extorted.
These users were sent emails saying that they were customers of the extramarital affair site, Ashley Madison, and must pay one bitcoin, currently valued at £180, into a specific Bitcoin wallet, or their “cheating and lies secret” would be exposed to the world. It is not currently known if those sent this extortion message were in fact members of Ashley Madison but the designated Bitcoin wallet apparently has 17 Bitcoins in it as of writing. Whether those Bitcoins are the results of successful extortion remains to be seen.
These extortion attempts are reportedly being carried out by the DD4BC gang, which appears to have pursued profit with a very specific form of attack. First emerging in November 2014, DD4BC has carved out a unique place for itself in cyber-crime with its strategy of carrying out DDoS attacks against large companies and financial institutions around the world and then holding their websites to ransom in exchange for the untraceable cryptocurrency, Bitcoin.
Picked up by Heimdall Security, he described the gang's modus operandi : "The cyber-criminals' method is to launch a massive and violent DDoS attack against a selected target that last approximately one hour.” This opening salvo, usually of a strength between 10 and 20 Gbps, usually brings down key parts of the victim's infrastructure. After the first attack, the still-reeling victim will receive an email saying that that first attack was just a taste of what is to come unless they pay, usually giving the victim a day to pay. if the victim doesn't pay they threaten to increase the ransom several-fold and increase that figure the longer the victim ignores their blackmail.
The group boasts of their ability to pull off massive DDoS attacks. It says in one email to its unlucky victim, “please note that it will not be easy to mitigate our attack, because our current UDP flood power is 400 to 500 Gbps.” To put that number in perspective the average size of a DDoS attack in the final quarter of 2014 was just over 7 Gbps. Research by the Swiss Government showed that DD4BC's attack capacity is nearly 1,000 times the capacity of a DSL line.
This new venture into traditional extortion on individuals as opposed to institutions seems new ground for the group. That said, Digital Shadows says this claim is as yet uncorroborated and that it's likely that those email addresses were pulled off publicly available lists.
Drew Perry, the group chief cyber-analyst at cyber-security company Ascot Barclay seems to think this might not be DD4BC at all. “It is possible that DD4BC has changed tactics and is cashing in on the vulnerable state of the exposed Ashley Madison customers,” Perry told SCMagazineUK.com, but “since the email address source has been used in the past, prior to DD4BC existing, I suspect this is an actor simply using the DD4BC brand.” Perry says that the email address in question first emerged before DD4BC ever did and has been implicated in other scams, “none of which fit the DD4BC profile.”
Werner Thalmeier, director of security solutions at another cyber-security company, Radware, echoed that view when he spoke to SC: “Of course my advice would be not to pay, under no circumstances.” He too thinks that this doesn't fit DD4BC's modus operandi, which is to go after large banks and companies: “IF this is true and it now goes after regular (and foolish Ashley Madison) users and sends them ransom mails to get money, it would be a complete change of its ‘business model'.” Thalmeier adds that “I think it is much more the case that someone uses the name of DD4BC to threaten the victims, but runs this under his own umbrella.”