With any major data breach, we expect to see an increase in phone scams. Attackers sell hacked customer data on the black market. Other criminals use the information to mount social engineering attacks on consumers. The recent attack on dating website Ashley Madison, however, could take these types of phone scams to a new level.
Ashley Madison is a site dedicated to helping its users arrange extramarital encounters. Their tagline is “Life is short. Have an affair.” On July 19, Brian Krebs broke the news that hackers had accessed information from up to 37 million Ashley Madison users, complete with contact information, pictures, and profile information. With this breach, Pindrop Labs predicts that attacks on consumers will be particularly vicious. Some attacks we’re expecting to see are:
- Extortion & Blackmail
The most obvious use for Ashley Madison user data is extortion schemes. Attackers who gain access to user profiles have names, contact information, sexual orientation, and potentially embarassing photos of people who are actively trying to have an extramarital affair. Attackers could simply call Ashley Madison users and threaten to make the affairs public or to publish the photos. Many users would pay to keep their information secret.
- Catfishing & Dating Scams
In addition to names, pictures, and contact information, hackers have allegedly stolen entire profiles from the dating site. The information contained on these profiles is often intensely personal, and includes information on fantasies and other intimate details.
This makes Ashley Madison users particularly vulnerable to catfishing schemes, where a person is targeted and lured into a relationship by means of a fictional persona, who then scams victims for money. Attackers who buy Ashley Madison profiles could target users over the phone, email, or other dating sites, with the knowledge that a specific user would be particularly attracted to certain activities, body types, or personalities.
- Phone Spam
A slightly less threatening result of the attack for Ashley Madison users might be a big uptick in phone and email spam. Ashley Madison users are likely more primed than most to respond to products typically advertised in spam, such as diet pills and enhancement products.
- Robocalling Attacks
Even if Ashley Madison manages to keep the hackers from publishing user information, their users remain at high risk for phone scams. This is because we now know that the site is extremely popular in many specific areas. Since news of the attack first broke, reporters have filed stories full of “fun Ashley Madison statistics” like the fact that 1 in 5 Ottawa residents is a subscriber, Washington D.C. and San Antonio are the two US cities with the most members per-capita, and the top 20 Chicago Area suburbs for Ashley Madison affairs.
Phone scammers can simply target areas with known high concentrations of Ashley Madison users, robocalling individuals at random and leaving voicemails threatening blackmail. (Similar techniques are already widely used for the IRS scam and deportation scams.) In a city like Ottawa, up to 20% of people who receive such a call will have reason to believe that the threat is real.
With this breach, Ashley Madison and their clients have learned the hard way that the Internet is no place for secrets. Sites and apps that claim to keep user secrets are actually prime targets for attackers. A similar attack on AdultFriendFinder in March of this year resulted in the exposure of more than 3.5 million people’s dating and personal interests. In 2014, hackers discovered a security flaw in the Tinder dating app that exposed users’ exact locations, and Snapchat’s data breach that year leaked information on 4.6 million accounts. Cupid Media, which runs several “niche” dating services, suffered an attack in 2013, exposing information on 42 million users.
News of the Ashley Madison attack has prompted Pindrop Labs to raise the current phone fraud threat level to 3, indicating a high risk of phone-based threats.