The Heartbleed bug – the OpenSSL vulnerability that exposes private keys, passwords and other information of most Internet users – has made a lot of headlines over the past days. This is why it has also attracted the attention of cybercriminals.The first one who warned of phishing scams fueled by news about Heartbleed was Australian security expert Troy Hunt.
The SANS Institute’s Rob VandenBrink has also published an advisory. VandenBrink says he has already received fake emails asking him to change his password on services for which he hasn’t signed up. The notifications contain links pointing to malware or phishing websites.
The expert says that some companies have started sending out messages that look like phishing emails.
“Helpful emails with links in them are in most cases NOT helpful. Don't click that link!” he warned.
The Heartbleed bug affects many major online services, which is why users are advised to change their passwords as a precaution. It’s difficult to say what and whose data has been compromised, but it’s better to be safe than sorry.
However, experts highlight one important thing. Changing your password for a service that’s still vulnerable is pointless. Wait for the website to patch its OpenSSL installation before changing the password.
LastPass has added a new feature to its Security Check tool so that users can check which services are still vulnerable to heartbeat attacks.