Extortion is not usually a topic that employers have on their radar regarding their employees. Most employers know they need to protect themselves against viruses, and “hackers”, but they often don’t think about the social engineering tactics that attackers may use to target employees. However, when users put their private information on “secure” websites, they may assume this information is safe. But, as the old adage goes, “assume anything you put online can be made public”, and it is likely that all of the users of the Ashley Madison website failed to consider the implications.
For more details about the Ashley Madison hack there are a number of sources that can reviewed. Brian Krebs has two posts on the subject that are worth reviewing for more detailed information: Was the Database Leaked? and Extortionists Target Ashley Madison Users
Why should this apply to me?
Considering the services offered, and the number of records released, it is likely that most people will have a connection to someone who could be affected. Given this line of thought, it is also plausible that attackers could exploit this, and target users who are on the list of records released. Employers are not likely to be directly concerned about whether their employees are on this list; however, what if their users are put into a situation where they are black mailed, and may do something they would not otherwise think of doing, such as clicking on an illicit link, or downloading a malicious file? Alternately, an attacker could use information from the Ashley Madison list to entice users to click on a link in a phishing email. Employers need to be cognizant of this, and consider some controls which can be put in place to mitigate this threat.
We regularly see organizations where a user falls victim to phishing emails, and these stats will only increase when this specific, targeted threat vector presents itself. This is a real threat, and it is a risk to organizations, as some users are going to be concerned about this, and may act more foolishly than normal in order to conceal their misdeeds.
What should we do?
User Awareness Training – Ensure users can identify a phishing email. Make users especially aware of attacks related to the Ashley Madison hack.
Spam Filtering – It may be worth discussing the merits of blocking or increasing the risk of any emails containing words related to Ashley Madison.
Follow Basic Security and Compliance Practices – Review security practices including Authentication, Access Controls, and Patch Management. Additionally, ensure there are mechanisms for recognizing anomalous behavior within the network.
It’s impossible to prevent users from being targeted, but organizations can use that to better prepare. If their users will be targeted, then training employees is key. Remember, instead of trying to prevent a ‘hack,’ expect one, and be prepared to detect it, slow down or stop the attack, and recover quickly.