Site members are receiving emails with personalized information from the breach including names, bank account information, mailing addresses, and answers to security questions with the threat of exposing the recipient if a ransom in bitcoin isn’t paid.
“Make no mistake, this is personal to you and you will be exposed…. I will not wait, everyone who knows you will hear about how you have been cheating for years. You will not find me,” said one email, which also included demands for roughly $1000 in bitcoin to be delivered within six days.
Security researchers at email defense company VadeSecure discovered the scheme and published details in a blog post, saying that they had detected several hundred other similar emails targeting users in the United States, Australia, and India.
“Seeing that more than 32 million accounts were made public as a result of the Ashley Madison data breach, we expect to see many more in the coming weeks. Moreover, like sextortion, the threat itself will likely evolve in response to tweaks by email security vendors,” wrote VadeSecure Senior Director Ed Hadley.
While sextortion schemes have been circulating online for years, the Ashley Madison campaign highlights several new techniques to avoid interception and detection via email filters. The ransom itself is demanded in a PDF attached to the email, rather than the body of the email itself, and targets are directed to payment details via QR code as a means of slipping past security measures.
It is currently unknown if users targeted by the breach have been exposed.