Ashley Madison, Why Do Our Honeypots Have Accounts On Your Website?
She is 33 years old, from Los Angeles, 6 feet tall, sexy, aggressive, and a “woman who knows what she wants”, according to her profile. She is intriguing. However, her intrigue doesn’t end there: her email address is one of Trend Micro’s email honeypots. Wait… what?
This was how we learned that Ashley Madison users were being targeted for extortion online. While looking into the leaked files, we identified several dozen profiles on the controversial site that used email addresses that belonged to Trend Micro honeypots. The profiles themselves were quite complete: all the required fields such as gender, weight, height, eye color, hair color, body type, relationship status, and dating preferences were there. The country and city specified matched the IP address’s longitude/latitude information. Almost half (43%) of the profiles even have a written profile caption in the home language of their supposed countries.
An event like this can leave multiple questions, which we answer below:
What is a honeypot?
Honeypots are computer systems designed to attract attackers. In this case, we have email honeypots designed to attract spam. These email honeypots just sit there, waiting for emails from questionable pharmacies, lottery scams, dead Nigerian princes, and other sorts of unwanted email. Each honeypot is designed to receive, it does not reply, and it most certainly does not enroll itself on adultery sites.
Why was your honeypot on Ashley Madison?
The simplest and most straightforward answer is: somebody created the profiles on Ashley Madison using the honeypot email accounts.
Ashley Madison’s sign up process requires an email address, but they don’t actually check if the email address is valid, or if the user registering is the actual owner of the email address. A simple account activation URL sent to the email address is enough to verify the email address ownership, while a CAPTCHA challenge during the registration process weeds out bots from creating accounts. Both security measures are absent on Ashley Madison’s site.
Who created the accounts – automated bots or humans?
Looking at the leaked database, Ashley Madison records the IP of users signing up using the signupip field, a good starting point for investigations. So I gathered all the IP addresses used to register our email honeypot accounts, and checked if there are other accounts signed up using those IPs.
From there, I successfully gathered about 130 accounts that share the same signupip with our email honeypot accounts.
Now, having the IPs alone is not enough, I needed to check for signs of bulk registration, which means multiple accounts signed up from a single IP over a short period of time.
Doing that, I found a few interesting clusters…
Figure 1. Profiles created from Brazilian IP addresses
Figure 2. Profiles created from Korean IP addresses
To get the time frame in the tables above, I used the updatedon field, as the createdon field does not contain a time and date for all profiles. I also had observed that, curiously, the createdon and the updatedon fields of these profiles are mostly the same.
As you can see, in the groups above, several profiles were created from a single IP, with the timestamps only minutes apart. Furthermore, it looks like the creator is a human, as opposed to being a bot. The date of birth (dob field) is repeated (bots tend to generate more random dates compared to humans).
Another clue we can use is the usernames created. Example 2 shows the use of “avee” as a common prefix between two usernames. There are other profiles in the sample set that share similar characteristics. Two usernames, “xxsimone” and “Simonexxxx”, were both registered from the same IP, and both have the same birthdate.
With the data I have, it looks like the profiles were created by humans.
Did Ashley Madison create the accounts?
Maybe, but not directly, is the most incriminating answer I can think of.
The signup IPs used to create the profiles are distributed in various countries and on consumer DSL lines. However, the crux of my doubt is based on gender distribution. If Ashley Madison created the fake profiles using our honeypot emails, shouldn’t the majority be females so they can use it as “angels”?
Figure 3. Gender distribution of profiles, by country
As you can see, only about 10% of the profiles with honeypot addresses were female.
The profiles also exhibited a weird bias in their year of birth, as most of the profiles had a birth date of either 1978 or 1990. This is an odd distribution and suggests the accounts were created to be in a pre-specified age range.
Figure 4. Years of birth of profiles
In light of the most recent leak that reveals Ashley Madison being actively involved in out-sourcing the creation of fake profiles to penetrate other countries, the country distribution of the fake profiles and the bias towards a certain age profile suggests that our email honeypot accounts may have been used by profile creators working for Ashley Madison.
If it wasn’t Ashley Madison, who created these profiles?
Let’s back off for a moment. Are there are any other groups who would profit from creating fake profiles on a dating/affair site like Ashley Madison? The answer is pretty simple – forum and comment spammers.
These forum and comment spammers are known to create website profiles and pollute forum threads and blog posts with spam comments. The more advanced ones are able to send direct message spam.
Seeing that Ashley Madison does not implement security measures, such as account activation email and CAPTCHA to ward off these spammers, it leaves the possibility that at least some of the profiles were created by these spambots.
What do the findings mean to me? Should I be concerned?
Suppose you never consciously signed up for a site like Ashley Madison. You must be safe from all of this right?
Well, no. Many of these fake profiles were created using valid email accounts, i.e. email addresses that belong to an actual person, not a honeypot. Those email addresses were known to the spambots and profile creators because it is already included in a large list of email address repositories spammers keep (this is how our email honeypot got an Ashley Madison profile).
So, if your email address is somewhere out there in the World Wide Web, whether listed on a website or on your Facebook profile, then your email address is at risk of being scraped and included in a list that is available for both traditional email and website spammers… which then makes you at risk of having an account created on your behalf on sites like Ashley Madison.
With all the controversy surrounding the Ashley Madison hack, the subsequent shaming of “members” and blackmail attempts, keeping your email address hidden from the public won’t just save you from the trouble of receiving emails from Nigerian princes, but also from sticky situations such as this.
Hat tip to Jon Oliver for pointing me down this rabbit hole.