Trend Micro experts have come across some bogus warning emails

Apr 24, 2014 09:10 GMT  ·  By

The OpenSSL vulnerability known as Heartbleed has made numerous headlines over the past few weeks, so it’s not surprising that cybercriminals are leveraging the topic to attract the attention of unsuspecting users.

Trend Micro has come across some interesting spam emails leveraging the topic. The malicious warnings carry the subject line “Heartbleed Bug Warning” and they read something like this:

“I just want to let you know that there is a big security concern now on the internet. The Internet bug called Heartbleed Bug, was recently discovered by experts. So if I were you, you need to change your internet passwords specially your banking passwords. Check for this report in CNN.”

The emails are signed by an individual called “Dexter” who appears to live in Riyadh, Saudi Arabia. The footer of the email contains an “unsubscribe” link, but that doesn’t make it any less dangerous.

As expected, the “Report from CNN” link contained in the notification doesn’t point to a report from CNN, but to a suspicious website.

Trend Micro hasn’t been able to precisely determine what’s on this site because it has been taken down. However, it’s safe to assume that it was something malicious.

The Heartbleed bug is one of the most critical vulnerabilities we’ve seen over the past period. Because its every aspect has been covered by mainstream media, most people know about it, even if they don’t know the technical details.

The numerous alerts and advisories have made people aware of the seriousness of the issue. That’s why there might be enough internauts who would click on links from such emails without giving it too much thought.

“Cybercriminals are ready and willing to use all newsworthy topics for their social engineering schemes, including big security incidents/advisories,” Trend Micro anti-spam research engineer Fjordan Allego noted in a blog post.

“With the Heartbleed Bug being as big and as serious a security issue can get – not only does it affect some of the most popular websites on the Web today, but can also strike from mobile apps as well – users need to anticipate that threats may strike in a way that they never really expect,” Allego added.

As a general rule, users who want to avoid falling victim to phishing scams or having their computers infected with malware should never trust any unsolicited emails, no matter how interesting or urgent they sound.