Extramarital dating website Ashley Madison made big headlines in 2015 when hackers made off with all imaginable personal details of the websites 37 million customers.

Nearly five years later, and it would seem former users of the site had nothing to worry about–but that illusion has been broken by a new cyber extortion scam targeting the people whose data was stolen from the adult dating site.

SEE: What is fileless malware and how to you protect against it? (free PDF) (TechRepublic)

According to email security vendor Vade, a new wave of emails attempting to extort money from Ashley Madison victims has appeared, and it’s something they haven’t seen before.

“Previous scams that try to get you to think an attacker has something on you would give out useless private details,” said Adrien Gendre, Vade’s chief product officer. “These emails, on the other hand, are filled with incredibly personal information.”

Account names, passwords, physical addresses, security question answers, billing details–all that and more are included in the extortion emails.

Whoever is running the scam is smart, too: They’re hiding actual ransom demands (equating to around $1,000 USD worth of Bitcoin) in a password protected PDF attachment that, because it’s secured, can’t be scanned by email filters.

Even if the email could be scanned it would only be found to contain more personal details and a QR code. The code itself is a Bitcoin wallet that the ransomer said is unique to their email so the attacker knows whether they’ve been paid on time. Without payment (within a short window of time) all the information will be leaked to family and friends.

QR codes in and of themselves won’t trigger a deeper look from most security products. The only way this sort of message can be blocked is with tools that can visually look at QR codes, determine where they go, and block them.

In other words, it’s tough to catch.

Is this a new kind of spam?

These hyper targeted nature of these attacks are new, and they could indicate a new tool in online scammer’s arsenals.

“There were only a few hundred of these emails sent out, so it’s likely this is just a test,” Gendre said. With more than 30 million users’ data available there’s no reason to assume attackers this sophisticated are going to stop with a few hundred when there’s millions of potential victims.

Why now, in 2020, are we seeing an attack based on old data? Gendre thinks the style of the attack indicates something new: A tool that makes this sort of hyper-targeted extortion possible.

“We’re likely looking at something new. When scams can be this specific it puts a real fear into people,” Gendre said. “If they know that much about you, they have to be dangerous, right?”

That isn’t necessarily the case, but Gendre said it’s wise to be cautious. If you’re targeted by this type of email, flag it as spam, report it to organization leaders so they can apply email filters to block more messages, and be sure you take care to change your passwords and secure accounts against potential hijacking.

21 Jul 2015, Ottawa, Ontario, Canada — One in five Ottawa residents allegedly subscribed to adulterers’ website Ashley Madison, making one of the world’s coldest capitals among the hottest for extra-marital hookups – and the most vulnerable to a breach of privacy after hackers targeted the site.
© CHRIS WATTIE/Reuters/Corbis