You may view the originally publication by CSO by clicking here.
The Ashley Madison breach has been a Christmas-in-August present for spammers and scammers of all kinds, and your company could be the next target.
Here are some scams to watch out for.
There is a significant amount of spam related to the Ashley Madison attack.
According to Trend Micro, the most recent Ashley Madison-related phishing campaign offers a link to the “Ashley Madison Client List” but instead infects the user’s computer with banking malware, or locks up files until the user pays one Bitcoin, or approximately $235.
“Companies should block all Ashley Madison related emails at the email gateway and use URL filtering for all inbound emails for those bulletproof hosts which are disseminating this crimewave,” said Tom Kellermann, chief cybersecurity officer at Irving, Tex.-based Trend Micro Inc.
“The Ashley Madison episode provides such good phishing bait that the emails are going to be almost irresistible,” said David Gibson, VP of strategy and market development at New York-based Varonis Systems, Inc. “It is a foregone conclusion that people will be seduced into opening these emails and clicking on links claiming to be about Ashley Madison victims.”
Companies should step up protections of user accounts, workstations, and sensitive data stores, he said.
KnowBe4 recently sent out a simulated Ashley Madison phishing email — and got a 4.2 percent average click rate.
“Anyone will be tempted to find out if their spouse is on the Ashley Madison list,” said Stu Sjouwerman, CEO at Clearwater, FL-based KnowBe4. “Employees need to be taught that their business email address is property of the company and they cannot use it for private endeavors.”
The Ashley Madison hack doesn’t just potentially expose user email addresses, but other personal information as well, Criminals can use this data, often in combination with other data sources, to create highly detailed profiles of your employees.
Then they can launch spearphishing campaigns — very targeted attacks that use this personal information to trick employees into believing that the emails are legitimate. Spearphishing emails can also be combined with phone calls, snail mail, or other types of communications for extra credibility.
Spearphished employees can be manipulated into letting hackers into corporate networks, divulging proprietary data, or even sending large amounts of money to the crooks.
You’ve probably already checked to see whether whether any of your company’s senior executives are in the Ashley Madison data dumps. You’d have to, to protect your company — not out of any personal curiosity at all. Obviously.
But has everything come out that is going to come out?
“What’s more worrying is what they are not releasing and instead using as blackmail,” said George Anderson, director of product marketing at Broomfield, CO-based Webroot Inc.
After all, criminals can’t threaten to release data that’s already been released.
So don’t wait until you see senior executives start avoiding eye contact and collecting quantities of unmarked bills. Have a plan in place for what your company will do if an executive is targeted for extortion.
“This information is very useful for making people with high levels of authority be coerced into doing things they wouldn’t normally do,” said Casey Ellis, CEO at San Francisco-based Bugcrowd.
In fact, an executive doesn’t even have to be a user of Ashley Madison to be a potential target.
“They only need to be convinced that others might believe they are,” Ellis said. “Attackers are crafty like that.”
Ellis recommends not only having a plan in place but discussing it ahead of time with the executive team.
And if there’s a scandal brewing?
“My best piece of advice is to get ahead of the story,” he said.
Even employees who used an alias for Ashley Madison might still be at risk if criminals are able to figure out who the account really belongs go, said Itay Glick, CEO at Sunnyvale, Calif.-based Votiro Inc.
Signing up for any shady site carries risks, experts say.
“In the case of Ashley Madison, members who fared the best resorted to one-off e-mail addresses that weren’t associated with their other contact information, and paid with untraceable pre-paid debit cards,” said Nikki Parker, VP of Growth and Strategy at Sydney, Australia-based Covata Ltd.
You’d think that everyone already knows that if something is online, it’s there for ever.
But “reputation repair” scammers are finding victims willing to pay money to have their names removed from the Ashley Madison lists, said Will Gragido, head of U.S. threat intelligence research at London-based Digital Shadows Ltd.
“The breached data appeared in a number of locations and was shared and downloaded by many individuals and organizations for both noble and illicit purposes,” he said.
But not all attackers are after money. Some just want to see you suffer.
“We’re seeing a new wave of ‘hacktivism’ where cyber criminals are trying to inflict brand and reputation damage, or promote social change,” said Kevin Cunningham, president and founder at Austin-based SailPoint Technologies, Inc.
“Hacktivists” can expose the reputations of company employees to criticism.
And companies can suffer brand and financial damage, he added. “The embarrassment and notoriety for the enterprise are long term.”
Okay, this one isn’t actually a scam — more a case of someone walking along, seeing your keys right there next to your car, and driving off with your vehicle.
If your employees used their work email addresses to log into Ashley Madison, and reused their work passwords, then you’ve got a problem.
“Based on reports, it appears that there are thousands of users who signed up using their company email address,” said Jason Hart, vice president and CTO for data protection at Amsterdam-based Gemalto.
He hopes that these companies are using multi-factor authentication.
“I hate to kick the Ashley Madison users while they’re down, but it seems that the people who might have fallen for the Ashley Madison offer might also be the types who would use the same password on every site they signed into—including work,” said Tom Pendergast, chief strategist for security, privacy and compliance at Bothell, Wash.-based MediaPro Holdings, LLC, a security awareness training company.
Enterprises that don’t have multi-factor in place, or are only starting to roll it out, need to take other steps.
“Companies that find employee email addresses within this trove of information would be wise to require new passwords across all company services,” said Adam McNeil, malware intelligence analyst at San Jose, Calif.-based Malwarebytes Corp.
In addition, companies need to have training programs in place so that employees know not to reuse their work email accounts or passwords on other sites.
“An alarming majority of employees don’t understand the security risks of their behavior,” said Darren Guccione, CEO and Co-founder at Chicago-based Keeper Security, Inc.
Training programs should also include mock phishing campaigns, he added. “This is a true test of an employee’s ability to spot a suspicious email,” he said.