The Heartbleed security vulnerability was announced recently and had IT security professionals rapidly taking action to plug security holes. System passwords were changed and alerts sent to end users telling them to do the same.
Heartbleed is a highly serious data security vulnerability that was discovered in the OpenSSL cryptographic software library. It is so called because it affects a SSL extension commonly known as Heartbeat. Over half a million websites are believed to have been affected by the Heartbleed vulnerability.
The Internet is normally secured with SSL/TLS encryption. This allows information to be exchanged securely by a wide range of Internet applications, including Instant Messaging (IM) services, email, and even Virtual Private Networks (VPNs). Unfortunately, the Heartbleed bug allows anyone to steal passwords even with SSL/TLS encryption in place. According to American cryptographer Bruce Schneier, Heartbleed is a potentially catastrophic security vulnerability. He recently said, “On the scale of one to 10, this is an 11.”
IT departments have been frantically issuing alerts to change passwords
Sensitive data is protected by passwords; however, Heartbleed has potentially allowed passwords to be compromised. The security vulnerability may have only just been discovered, but it has existed for at least two years. Hackers are not understood to have used the vulnerability to gain access to sensitive data, but it is actually rather difficult to tell even if they have. As a security measure, IT staff have been sending emails to all users advising them to change their passwords just in case.
Unfortunately, they are not the only individuals sending password change requests to users. Online scammers have been piggybacking on the major data security event and have been sending emails of their own. Conveniently, also including links to allow users to rapidly address the huge security hole.
Any individual who has heard about the security issue will be keen to protect themselves against hackers and cyber criminals. Emails telling them to change their passwords are likely to be clicked. Unfortunately, clicking those links will take users to a website where they enter their current passwords. By doing so they will be giving them to criminals. They may think they are protecting themselves, but their actions will be doing the exact opposite.
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo
Beware of Heartbleed Protection Scams
Piggybacking on major news events is a common tactic used by phishers to get computer users to reveal their sensitive information. News of a major IT security flaw is music to phishers’ ears. Computer users are fearful of a cyber attack and phishers play on those fears. The response rate to emails of this nature is typically high.
Many IT professionals have been busy securing their networks and have performed security audits to address the latest vulnerability and search for others that may exist. Software companies are taking advantage and are offering products that will perform full system security checks. After all, there is no better time to boost sales than when the public is keen to improve online security.
Scammers have been taking advantage by sending links to websites that will perform security checks. The scam emails and adverts appear genuine. They offer a free system check to determine whether vulnerabilities exist and they have even promised to clean systems and install the required patches to secure devices. By accepting these checks, users will just be guaranteeing their devices are compromised. It is therefore a time to be extremely vigilant for online scams. Efforts must be made to check that any request to improve security is actually genuine before it is accepted
How to Beat the Scammers, Spammers and Phishers
Fortunately, it is relatively easy to avoid becoming a victim of one of these scams. Receiving an email with a link or an attachment will not automatically compromise a computer. Action is required by the user for that to happen. If the phishing email is deleted, so is the threat. However, not all users know how to identify a phishing email. If one does reach an inbox, a user may end up infecting their computer or, worse still, the network to which that computer connects.
It is important to give computer users the information they need to protect themselves. They must be advised of the tell-tale signs of a phishing email. Only then will they know how to determine if an email is genuine. Training is therefore important, and now is a good time to ensure that the staff is well informed.
It is also an ideal time to install some additional safeguards to prevent spam and scam emails from reaching users’ inboxes. SpamTitan Technologies offers two excellent security solutions. The first is a robust and highly effective spam filter that prevents spam and scam emails from being delivered. The second solution prevents users from clicking links to scammers websites.
SpamTitan web filtering works like a business version of a parental control filter. Instead of just blocking gambling, dating, and pornographic websites from being visited, it also blocks users from visiting known phishing websites and even genuine websites that have been infected with malware.
By installing both of these anti-phishing solutions, IT professionals can sleep easy. The Heartbleed vulnerability will still need to be addressed, but they will be able to relax a little knowing that end users will not be falling for the myriad of piggybacking phishing campaigns that have been developed over the past few days since the Heartbleed announcement was made.