Email Security Blog

The Heartache from Heartbleed Has Only Just Begun

Agari April 11, 2014 Cybercrime, DMARC
Fallback Featured Image

If you haven’t already, over the next several days you will get email notifications from various companies – from retailers that deliver your socks, to the card companies that manage your frequent flyer programs, to the bank that holds your mortgage – with a subject that includes the phrase “Security Update”. The email will suggest that you should change your password on the company’s site and some will include a helpful link to start the process.

The reason for this notification is the Heartbleed vulnerability in the OpenSSL library. This bug essentially means that passwords and other sensitive data from servers across the Internet may have been compromised. Security expert Bruce Schneier says Heartbleed “is an 11” on the scale of 1 to 10 because of the scale of the compromise and the type of information that may have been leaked. The bug impacts a significant number of services, companies and sites – estimates suggest about two-thirds of the world’s web servers. Companies that own these servers will need to update the software on these servers and many will notify their customers to change their passwords.

While many of the email notifications will be legitimate, criminals will use this opportunity to trick consumers into revealing passwords. They will do so by sending spoofed security-related emails purporting to come from popular brands and services. These spoofed emails will include password-reset links that take the recipients to fake sites that phish usernames, passwords and other sensitive information. This is a common pattern when a breach or vulnerability is revealed – criminals often attempt a one-two punch to get access to even more sensitive or valuable information from customers of the impacted company. This time, of course, the potential targets of such phishing attempts will be almost everyone on the Internet.

Even when you see an email you believe to be legitimate, do not click on links within the email to reset your password. Instead, go directly to the site or service in question.

Some of the top brands on the Internet, including Facebook, Yahoo! and JP Morgan Chase use an open standard called DMARC to protect their customers from such spoofing attacks. DMARC allows a company to ensure that only legitimate emails representing their brand are delivered. Consumers of brands that use DMARC are better protected from email attacks of all types, including the ones triggered by unfortunate circumstances like Heartbleed.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

July 10, 2019 Ronnie Tokazowski

‘Til Death Do Us Part… Romance Scams and the BEC Game

When we think of business email compromise (BEC), the first thing that comes to mind…

Agari Blog Image

June 26, 2019 Armen Najarian

Ticket to Fraud: Airline Industry Sees Increased Consumer Phishing Scams

For many, there are few things more satisfying than receiving an email confirmation for a…

Agari Blog Image

June 13, 2019 Fareed Bukhari

DMARC Adoption Worldwide Slows with Australia's ASX 100 Remaining Most Vulnerable

DMARC adoption rose a tepid 1% in the first quarter of the year, with the…

Agari Blog Image

June 5, 2019 Crane Hassold

From One to Many: Scattered Canary Evolves from One-Man Startup to BEC Enterprise

There is no denying that business email compromise (BEC) is big business, with losses exceeding…

Agari Blog Image

May 23, 2019 Suela Vahdat

DMARC Remains Elusive with 86% of Domains Open to Impersonation

More than three-quarters of UK government organisations haven't yet adopted Domain-based Message Authentication and Reporting…

mobile image