Police probing the massive data breach at infidelity website Ashley Madison (AM) are calling for ‘white hat hackers' to help them track down the cyber-criminals involved – with the incentive of a near £250,000 reward up for grabs.
The appeal to the security and hacker community came yesterday from the ‘Project Unicorn' police taskforce – which includes the FBI, US Department of Homeland Security and Canadian police – hunting the hacker(s) calling themselves the ‘Impact Team', who last week carried out their threat to leak the personal details of around 33 million AM subscribers. Though security guru John McAfee has claimed there is no team, just a female ex-employee who had total access and issues with management, as reported by SC yesterday.
Police confirmed yesterday that the data dump has already led to the suspected suicide of two AM subscribers and blackmail attempts against people named on the list – prompting their call for help.
“It would be foolish for us to think we could do this on our own,” said staff superintendent Bryce Evans of the Toronto Police - Ashley Madison owner Avid Life Media (ALM) is based in the Canadian city.
Evans said the police recognise that hackers “have certain techniques to assist us”. Detective John Minard from the Canadian Mounted Police's tech-crime unit confirmed: “We're looking at the white hat hackers, the guys who aren't involved in what happened. The Impact Team are operating on the dark web, an area of the internet that we don't necessarily police on a daily basis.”
To support them, ALM has offered a bounty of £240,000 for help in catching the intruders, saying: "The Project Unicorn investigation is progressing, but more help is needed from the outside. ALM is offering a C$500,000 reward payment to anyone who provides information to the taskforce that leads to the identification, arrest and conviction of the person or persons responsible for the theft of proprietary data.”
Detailing the human cost of the data breach, Bryce Evans said: “The Impact Team's actions have already sparked spin-off crimes and further victimisation. As of this morning, we have two unconfirmed reports of suicides that are associated with the leak of Ashley Madison customer profiles.”
Evans also warned of blackmail attempts against AM subscribers. The police showed one such email which says: “Your data was leaked in the recent hacking of Ashley Madison and I now have all your information. I have also found your Facebook profile. I now have a direct line to get in touch with all your friends and family. If you would like to prevent me from sharing this dirt with all of your known friends and family (and perhaps even your employers too?) then you need to send exactly 1.05 bitcoins (£142) to the following address...”
Those with information about Impact Team are asked to phone Project Unicorn in Canada on 416 418 2040 or contact the taskforce's Twitter account @AMCaseTPS. The police appeal can be viewed on You Tube here.
Commenting on the appeal and reward offer, leading European cyber-security expert Brian Honan, head of BH Consulting, believes they could succeed - though he also warned against the danger of innocent individuals being implicated in the hack.
Honan told SCMagazineUK.com: “There are probably people outside the Impact Team who do know who the members are, because very often hacking groups talk to other groups to share information or techniques, or individuals may be members of multiple groups. They can let slip where they are – we've seen that in the past where individuals have exposed themselves unintentionally.
“Half a million dollars is nothing to be sniffed at. I think the impact this breach is having on certain people's lives – the damage this is causing, in combination with the attractiveness of the reward, might be motivation enough for them to share any intelligence they may have with law enforcement.”
Though McAfee's report talking to hackers active on the dark web suggested none had heard of the Impact Group.
Honan also believes the major security firms could play a role in finding the intruders.
“Lots of security firms have experts on their staff who are good at analysing events and information and tracing back where the attacks happened. If you take the large firms who have cracked APT groups – some of them nation state sponsored groups with lots of resources to hide their tracks – then the capabilities are there. The question would be how effective the logging within Ashley Madison's systems was, to enable effective analysis and properly identify who's behind the attacks.”
Honan also warned: “My concern would be that in offering half a million dollars reward, we are going to have a vigilante hunt and a lot of false information could be provided that diverts law enforcement from the core investigation, or that individuals may be mistakenly identified to be behind the attack and that could have a negative impact on their lives as well.
“I would hope that law enforcement, Ashley Madison and firms engaged in the investigation take a methodical approach to the investigation so that innocent people aren't caught up.”
He added that “any high-profile case attracts analysis and theories from security firms”, - citing John McAfee's view.
Meanwhile, the Impact Team may have provided some clues in an email interview with the Motherboard website where they claimed: "We didn't blackmail users. Avid Life Media blackmailed them."
The hackers reportedly said: “We were in Avid Life Media a long time to understand and get everything. They said they don't store credit card (CC) information. They had password to CC processor. We dumped from the CC processor.”
Asked if they might attack other targets and who, they said: “Any companies that make hundreds of millions profiting off the pain of others' secrets and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total.”
* In related news, ALM is being sued for unspecified damages in the Los Angeles District Court for failing to adequately protect its clients' personal and financial data by a man identified as ‘John Doe' who said he has suffered emotional distress. Last week a similar class-action lawsuit was launched against ALM in Canada, seeking almost £500 million in damages.