Phishers Pump out Heartbleed Attacks

Contributor: Binny Kuriakose

Symantec has recently detected phishing emails related to the Heartbleed Bug. The phisher attempts to gather information by posing as a US military insurance service with a message about the Heartbleed bug.

The Heartbleed bug is a recently discovered security vulnerability affecting OpenSSL versions 1.0.1 to 1.0.1f. This vulnerability was fixed in OpenSSL 1.0.1g. Symantec’s security advisory gives more details on the bug and offers remediation steps.

Spammers and phishers are known to use trending news and popular topics to disguise their payloads. In the case of phishing emails, phishers often cite security concerns to legitimize and disguise their social engineering methods. The payloads of these emails attempt to compel the messages’ recipients into divulging sensitive information.

In this case, the phishers send the following email.

 figure1_phish_0.png
Figure 1. Preview of the Heartbleed phishing mail

There are several interesting attributes of this example which should be pointed out. 

  • According to the X-Mailer header, the sender is using a very old mail client (Microsoft Outlook Express 6.00.2600.0000). Although there are plenty of users still utilizing old email software, it is highly unlikely that a modern online business would be using a desktop mail client to send out security notifications.
  • Notice the unusual grammar with the usage of “has initiate”. Often, phishers will attempt to quickly capitalize on a new topic. In doing so, they will usually make grammatical errors due to the pressures of sending out a new phishing campaign as soon as possible. Also, phishing emails are often sent by people who don’t speak English as their first language.
  • Additionally, the phishing email purports to be a security alert from a reputable US military insurance service but contains a “Sign In” page that actually points to a compromised Turkish manufacturing site.

Although this is not an exhaustive list of identifying factors for phishing emails, it highlights some of the irregularities and inconsistencies often seen in phishing campaigns.

As detailed in the official Symantec Heartbleed Advisory, Symantec warns users to be cautious of any email that requests new or updated personal information. Users should not click on any password reset or software update links in these messages. If users need to update or change their personal information, it is best to do so by directly visiting the website.