Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Ashley Madison: $500K Reward for HackerFBI Spearheads Network Intrusion Investigation, Cites National Security Threat
Hacked online dating site Ashley Madison is offering a $500,000 Canadian (U.S. $380,000) reward for information relating to the hacker or hacking group behind its data breach. Separately, another breach-related lawsuit - seeking class-action status - has been filed against the company in U.S. federal court by a "John Doe," alleging "emotional distress" as a result of the site's poor information security practices.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The Ashley Madison reward was announced Aug. 24 by Toronto police, who say that the U.S. Department of Homeland Security and FBI are also participating in the investigation. The police revealed that they're investigating reports - received Aug. 24 - that two Canadians committed suicide after the "Impact Team" hackers began dumping Ashley Madison data, thus revealing the identities of many of the site's more than 30 million users. To date, the Impact Team has released three tranches of stolen information, comprising tens of gigabytes of data.
AshleyMadison.com, which is run by Toronto-based Avid Life Media, advertises itself as the "world's leading married dating service for discreet encounters."
At an Aug. 24 news conference, Bryce Evans, acting staff superintendent of the Toronto police, sent a message to the hacker or group behind the attack against the site. "I want to make it very clear to you your actions are illegal, and we will not be tolerating them. This is your wake-up call." Backed by the reward, officials have also appealed to the broader information security community to help them identify the perpetrators.
Evans says that the Toronto police requested that DHS join its investigation, and notes that the FBI is now leading the network-intrusion part of the investigation. "This is worldwide, it's not just a Canadian thing, and that's why we're drawing on any resources we can. And we have a good working relationship with Homeland and the FBI," Evans says.
Police warned that the leaked data has already sparked "hate crimes," as well as a number of other types of attacks and scams (see Ashley Madison: Spam, Extortion Begins). "This hack is one of the largest data breaches in the world and is very unique on its own in that it exposed tens of millions of people's personal information," Evans said. He added that the police are also investigating two potentially related suicide reports. "As of this morning we have two unconfirmed reports of suicides that are associated because of the leak of Ashley Madison customers' profiles," he said Aug. 24, but declined to elaborate further.
The data leaked from the Ashley Madison breach reportedly include details of more than 30 million customers, including some who used email addresses tied to corporate accounts - ranging from Shell to Starbucks to Wells Fargo - as well as official government and military accounts in the United States, Canada, the United Kingdom and beyond (see Mitigating Organizational Risks After the Ashley Madison Leaks).
Speaking at the Aug. 24 press conference in Toronto, DHS special attachÃ© Ron Marcell confirmed that the FBI is reviewing the hack from a national-security standpoint, as is standard operating procedure any time a data leak includes government email addresses and government employees' personal details.
Hack: "Very Sophisticated"
Toronto Police Service Detective John Menard, a technology specialist, described the Ashley Madison hack attack as being "very sophisticated," and said police are still investigating how exactly the attackers broke into the site. Toronto police have dubbed their related investigation as "Project Unicorn" and set up a dedicated Twitter account - @amcasetps - for any information or tips related to the case.
Assistance welcome from public that can help ID hackers known as "The Impact Team" responsible for #AshleyMadisonHack is #AMcaseTPS ^smï¿½ Toronto Police (@TorontoPolice) August 24, 2015
Police say that Ashley Madison officials first learned of the hack on July 12 - one week before the Impact Team publicly called for the site to shut down, or else it would begin leaking stolen data. Avid Life Media first publicly commented on the hack attack July 20, saying that it had alerted authorities and launched a related investigation. But by then, police say, the company had already hired an outside firm to investigate the intrusion, and alerted law enforcement agencies.
On July 12, Evans says that when multiple Avid Life Media employees logged into their PCs, they saw a "threatening message" from attackers, set to the song "Thunderstruck" by Australian rock band AC/DC. The message, from the Impact Team, demanded that the company shut down both its Ashley Madison and Established Men dating sites, or else the attacker or attackers would leak customer data.
.@TorontoPolice handing out lyrics to "Thunderstruck" by AC/DC before their #ashleymadisonhack presser...#karaoke? pic.twitter.com/LYff3YYdS1ï¿½ Phil Perkins (@PhilPerkinsCHCH) August 24, 2015
That's not the first time the AC/DC song in question has been tied to a hack attack. In 2012, reports emerged that one side effect of the Stuxnet virus infection at Iran's Natanz facility was that it also made some compromised PCs blare the same song at full volume in the middle of the night.
Meanwhile, a third breach-related lawsuit - seeking class-action status - has been filed in U.S. federal court. The move follows a U.S. lawsuit being filed by a woman from St. Louis - "Jane Doe" - alleging that the site's $19 paid-delete feature failed to work as advertised. A second lawsuit was then filed in Canada, claiming $760 million (U.S. $577 million) in damages due to the dumped data (see No Surprise: Ashley Madison Breach Triggers Lawsuits).
The latest lawsuit was filed Aug. 21 in U.S. District Court in California by a "John Doe," who is described as a man in Los Angeles who created an account with the site in March 2012. He alleges harm on the basis that Ashley Madison failed to protect customers' sensitive personal information.
"As a result of Defendants' unfair, unreasonable, and inadequate data security, its users' extremely personal and embarrassing information is now accessible to the public," the lawsuit states. "In addition to the embarrassing information regarding users' sexual interests or the fact that users were seeking or had affairs, users' addresses, phone numbers, email addresses, credit card or other payment information, and/or birth dates, and photos are also now available on the World Wide Web. For many of the website's users, the publicity of this information has created and will continue to create irreparable harm."
The lawsuit names both of Ashley Madison's parent companies - Avid Life Media and Avid Dating Life - and seeks unspecified damages.
What the Reward Implies
Ashley Madison's move to offer reward money to catch hackers is not unheard of; the FBI's Cyber Most Wanted list is currently offering rewards of up to $3 million for information leading to the arrest or conviction of cybercrime kingpins. But such rewards tend to be less tactical - suspects for example may be located in countries that share no extradition treaty with the United States or Canada - and more symbolic, to try and demonstrate that law enforcement agencies are still on the case, and that the breached business is still investigating.
"I think they are sending a message but it is reminiscent of the Wild West, which seems to be how the Internet is being policed in some places," says cybercrime expert Alan Woodward, a visiting computer science professor at the University of Surrey (see FBI Hacker Hunt Goes 'Wild West'). "Bounties sometimes work, but it is more a way of explicitly saying: 'Whoever this is, they are an outlaw in our country,' and 'We will not tolerate any similar behavior.'"
The move to offer a reward is also a notable shift from last month, when Avid Life CEO Noel Biderman suggested that the case would soon be closed. "Their CEO said he knew who it was in July," says Intel Security EMEA chief technology officer Raj Samani via Twitter.
Indeed, Biderman in July told security blogger Brian Krebs that the hack attack was the work of an insider. "I've got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services," Biderman said.