Guys, we have a real phishing problem with this Adult Friend Finder (AFF) hack. This particular adult site is one of the most heavily-trafficked websites in the U.S. and has 40 million registered users. A rough guess is that 10% of your users may be very worried at this time that their sexual preferences and/or activities are going to come out. These end-users are a security breach waiting to happen.
You may have heard about it, but in short the story is that the AFF site owed $248,000 to someone, very likely an affiliate that was feeding them web traffic, and apparently AFF did not pay up. The affiliate had a hacker buddy who calls himself ROR[RG] and this guy decided to teach AFF a lesson.
He hacked them, exfiltrated at least 4 million records and then sent them a ransom demand of $100,000 to return the data. Again, apparently AFF did not pay up (again) and ROR[RG] in retaliation posted these records on a Darknet Tor site loaded with a ton of highly personal, sensitive information, including their age, sexual preferences, state, zip code, username, IP address, and if they are married or single, gay or straight, and are looking for a "cheating one night stand" or more let's call it unorthodox sexual activities. With a little bit of digging, these people are relatively easy to find. Bev Robb, who does malware and dark Web research, wrote a blog post showing how easy it is.
FriendFinder Networks, a California-based company wrote that it had hired FireEye's forensics unit, Mandiant, to investigate along with Holland and Knight, a law firm, and a public relations company specializing in cybersecurity.
"We cannot speculate further about this issue, but rest assured, we pledge to take the appropriate steps needed to protect our customers if they are affected," it said. The company could not be reached for further comment. UK TV Channel 4 reported it first, and stated exposed email addresses are receiving a wave of spam. Here is their 4-minute segment.
Here Is The Problem
Any of these 40 million registered users is now a target for a multitude of social engineering attacks. Just one example: you can imagine that a man married to a woman but who is hunting down gay hookups on the side could easily be blackmailed or receive a spear phishing email with a poisoned link that infects his workstation.
People that have extramarital affairs can be made to click on links in emails that threaten to out them. I already see the phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands.
Mass media has jumped on this, the news of this hack is on CNN, NBC, you name it. If any of your users has registered on AFF, they have probably heard about it and are worried. This is a nightmare phishing scenario. Jilted spouses, divorce attorneys and private investigators are undoubtedly already poring over the data.
What To Do About It
This is not an easy one. I suggest you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I suggest you send something like this to your friends, family and end-users and feel free to edit.
"Last week, news broke that the Adult Friend Finder website was hacked. This is a one of the top adult website for people that want casual encounters, possibly cheating on their spouse. The site has 40 million registered users, and millions of these records are now out in the open, exposing highly sensitive personal information. Internet criminals are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening messages like this that slip through and delete them immediately."
As you can see, stepping your users through effective security awareness training is an absolute must these days. For KnowBe4 customers, we have a new Social Networking template that lures people into clicking on a link to the "haveibeenpwned" website to see if their personal sensitive information was hacked. The subject of the template is "Hey, has your Adult Friend Finder secret come out?"
Find out how affordable Kevin Mitnick Security Awareness Training is, and be pleasantly surprised!