If you haven’t already, over the next several days you will get email notifications from various companies – from retailers that deliver your socks, to the card companies that manage your frequent flyer programs, to the bank that holds your mortgage – with a subject that includes the phrase “Security Update”. The email will suggest that you should change your password on the company’s site and some will include a helpful link to start the process.
The reason for this notification is the Heartbleed vulnerability in the OpenSSL library. This bug essentially means that passwords and other sensitive data from servers across the Internet may have been compromised. Security expert Bruce Schneier says Heartbleed “is an 11” on the scale of 1 to 10 because of the scale of the compromise and the type of information that may have been leaked. The bug impacts a significant number of services, companies and sites – estimates suggest about two-thirds of the world’s web servers. Companies that own these servers will need to update the software on these servers and many will notify their customers to change their passwords.
While many of the email notifications will be legitimate, criminals will use this opportunity to trick consumers into revealing passwords. They will do so by sending spoofed security-related emails purporting to come from popular brands and services. These spoofed emails will include password-reset links that take the recipients to fake sites that phish usernames, passwords and other sensitive information. This is a common pattern when a breach or vulnerability is revealed – criminals often attempt a one-two punch to get access to even more sensitive or valuable information from customers of the impacted company. This time, of course, the potential targets of such phishing attempts will be almost everyone on the Internet.
Even when you see an email you believe to be legitimate, do not click on links within the email to reset your password. Instead, go directly to the site or service in question.
Some of the top brands on the Internet, including Facebook, Yahoo! and JP Morgan Chase use an open standard called DMARC to protect their customers from such spoofing attacks. DMARC allows a company to ensure that only legitimate emails representing their brand are delivered. Consumers of brands that use DMARC are better protected from email attacks of all types, including the ones triggered by unfortunate circumstances like Heartbleed.