It was bound to happen sooner or later. With the threat of Heartbleed still very fresh in our minds, cyber criminals have lost no time in cashing in on the scare by sending out emails with attachments that purport to be tools for helping users get rid of the bug.
“…it appears some hackers are trying to convince potential victims that Heartbleed can be ‘uninstalled’ from their computers,” wrote Gary Davis, vice-president of global consumer marketing for security company software company McAfee Inc. “They’re doing this by sending out emails loaded with a ‘Heartbleed remover’ tool attachment, which is really just a cleverly disguised package of malicious malware.”
Two months ago when the Heartbleed began grabbing all the headlines, it was estimated that more than 70 per cent of Web sites were affected by the vulnerability which could allow hackers to grab control of users’ machines. Even the Canada Revenue Agency was forced to shut down its Web site at the height of tax season.
Heartbleed is a flaw in older versions of OpenSSL, a software that enables encrypted communications between web services and computers. The vulnerability has great potential for creating trouble because OpenSSL is widely used in operating systems, routers and networking equipment.
To deal with Heartbleed, administrators need to apply a server-side patch to OpenSSL. Computer users need to change their passwords for accounts on Web services that were affected by Heartbleed.
However, Davis said, hackers are now tricking people into believing that Heartbleed is something they need to remove their computers with a “Heartbleed removal tool.”
“Heartbleed affects nearly every person using the Internet (especially if you haven’t changed your passwords since the bug was discovered) because the vulnerability deals with how servers interpret information, such as usernames and passwords, that is sent online,” Davis explained. “That means users cannot protect themselves from the vulnerability until the bug is fixed on the server’s side—meaning a company’s IT administrator has to fix it.”
He said victims of this type of phishing attack are actually downloading keyloggers that record the computer user’s keystrokes and send them back to a controlling hacker. With the information from the keylogger, the hacker can login to the user’s accounts and access personal and financial information.
Davis said the phishing emails found by McAfee had an attachment that was supposedly a tool for removing Heartbleed.
The email was also arose their suspicion because the subject line was “Looking for Investment Opportunities from Syria” but the subject line had nothing to do with the body of the email.
Davis said these were two dead giveaways that the email was bogus.
He also said there was a line in the letter that said: “If you get a warning from windows or your Anti-Virus that this file might harm your computer, please ignore this warning … as it will be an attempt by the virus program to stop you from running the tool.”
“It’s a sentence explicitly telling you to ignore your own security programs,” Davis said. “It’s a subtle order, but it’s one that’s necessary for the attack to work.”