In all the buzz surrounding the Heartbleed vulnerability in OpenSSL, the most common advice for end users was to reset passwords used for sensitive websites. Setting aside the fact that this may not be the best advice as such – read this article for the exact ins-and-outs of what you should do – users also have to be alert for potential phishing attacks on the way, security experts have warned.
Security researchers disclosed details of the Heartbleed vulnerability last week, and server administrators and service providers around the world have been scrambling to check their systems and to close the vulnerability as soon as possible. As we've previously discussed, the software bug can be exploited to grab random bits of information in the computer's memory, potentially leaking private keys, sensitive data, and certificates.
Considering the level of interest in the topic as researchers figure out the magnitude of the problem and implications, phishing attacks masquerading as password reset notifications are very likely. It's easy to imagine cyber-criminals and other scammers gleefully rubbing their hands together as they plan piggyback attacks.
Some organisations have already patched their systems and are proactively reaching out to customers to advise them to change their passwords. Unfortunately, we've seen at least two instances where the email included a clickable link taking users to the site to reset the password. And what's the first rule of avoiding phishing attacks? Let's say it together: Do not click on links in emails!
As we've seen with fake PayPal and banking emails, it's easy to forge email headers and to craft very realistic looking emails. The site users wind up on could also look like the real thing.
To be fair, people are getting better at recognising password reset emails as being potentially malicious. However, the current concerns over Heartbleed may trick even the most cautious users. "If you were thinking, 'Hey, maybe I should change my example.com password, just in case,' and then an email arrives claiming to be from example.com that takes you to a login screen that looks just like example.com... you could be forgiven for just following habit and trying to login," Paul Ducklin, a security evangelist for Sophos, wrote on the Naked Security blog.
Security rules still apply
Yes, Heartbleed is serious and will have implications on Internet security for months and years ahead. But that doesn't mean we forget all the lessons about recognising spam and phishing emails. Be suspicious of any unsolicited emails you receive, even if they are from companies you are familiar with. If the email asks you to click on a link inside the message to reset your password, stifle the urge to do so. Manually visit the website and initiate the password reset directly from the site.
If companies stopped to consider the security implications and did not put links to the login page in the email itself, it would be much safer for customers because they won't get in the habit of clicking on links, Ducklin argued. "If no legitimate sites ever put login links in their email correspondence, then deciding whether login links are good or bad becomes trivial: They're bad, and that's the end of it," he said.
Last week, we saw lots of advice flying around telling users to change their passwords everywhere. Instead, you should only change passwords on sites which have confirmed they have fixed the Heartbleed flaw. Anything else could actually be increasing the chances of your private information being snaffled, Ducklin warned.