Online criminals aren't wasting any time taking advantage of this week's Ashley Madison data dump. Krebs on Security is reporting on one such scheme, noticed by an email provider in Milwaukee that found the following message being spammed to its subscribers:
Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.
If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:
Sending the wrong amount means I won’t know it’s you who paid.
You have 7 days from receipt of this email to send the BTC. If you need help locating a place to purchase BTC, you can start here…..
The scheme doesn't seem to be working, since no one has transferred any bitcoin into the associated account, but it's a reminder of the tangible damage done by the attack. The available database makes it easy to send a mass mailing to all the associated emails — and with tens of millions of names in the mix, there are good odds that at least one of them will take the bait.
As these extortion schemes continue, it's important to note that many of the email addresses in the database do not correspond to actual Ashley Madison customers, since the company allowed for database entry without confirmation. That's led to awkward surprises for those who found their emails in the released data without ever having used the site. One such person described his experience on Github. "Since I have such a short email address people sign up for shit using it all the time," he writes. "The future is a funny place."