Search Close
Email Security Blog

The Heartache from Heartbleed Has Only Just Begun

Agari April 11th, 2014 Cybercrime, DMARC
Fallback Featured Image

If you haven’t already, over the next several days you will get email notifications from various companies – from retailers that deliver your socks, to the card companies that manage your frequent flyer programs, to the bank that holds your mortgage – with a subject that includes the phrase “Security Update”. The email will suggest that you should change your password on the company’s site and some will include a helpful link to start the process.

The reason for this notification is the Heartbleed vulnerability in the OpenSSL library. This bug essentially means that passwords and other sensitive data from servers across the Internet may have been compromised. Security expert Bruce Schneier says Heartbleed “is an 11” on the scale of 1 to 10 because of the scale of the compromise and the type of information that may have been leaked. The bug impacts a significant number of services, companies and sites – estimates suggest about two-thirds of the world’s web servers. Companies that own these servers will need to update the software on these servers and many will notify their customers to change their passwords.

While many of the email notifications will be legitimate, criminals will use this opportunity to trick consumers into revealing passwords. They will do so by sending spoofed security-related emails purporting to come from popular brands and services. These spoofed emails will include password-reset links that take the recipients to fake sites that phish usernames, passwords and other sensitive information. This is a common pattern when a breach or vulnerability is revealed – criminals often attempt a one-two punch to get access to even more sensitive or valuable information from customers of the impacted company. This time, of course, the potential targets of such phishing attempts will be almost everyone on the Internet.

Even when you see an email you believe to be legitimate, do not click on links within the email to reset your password. Instead, go directly to the site or service in question.

Some of the top brands on the Internet, including Facebook, Yahoo! and JP Morgan Chase use an open standard called DMARC to protect their customers from such spoofing attacks. DMARC allows a company to ensure that only legitimate emails representing their brand are delivered. Consumers of brands that use DMARC are better protected from email attacks of all types, including the ones triggered by unfortunate circumstances like Heartbleed.

Leave a Reply

Your email will not be published. All fields are required.

December 6, 2018 Crane Hassold

How an Elite Counterintelligence Team Investigates BEC Scams Worldwide

November 28, 2018 Crane Hassold

Why Just Play Defense Against Cybercriminals When You Can Do So Much More?

October 16, 2018 Fareed Bukhari

One Year Later: Federal Mandate for Email Authentication Huge Success

October 16, 2018 Patrick Peterson

DMARC: A 12-Month Triumph for DHS—and the Nation

August 10, 2018 Patrick Peterson

Half of Federal Agencies Racing to Meet DMARC Active Enforcement Deadline

mobile image