Skip to main content

Heartbleed Used by Identity Thieves in Phishing Scam

As many security experts predicated, scammers are exploiting the news of the Heartbleed Internet-security bug, sending unsuspecting citizens email messages asking them to log into sensitive accounts.

Researchers at security giant Symantec noticed one such message, which purported to come from a well-known insurance company that caters to U.S. military veterans and their families. The message is part of a phishing scam trying to steal website login credentials in order to gain access to sensitive personal information.

MORE: Heartbleed Bug: Information, Advice and Resources

"We wanted to make you aware of 'Heartbleed' Internet bug affecting many servers," reads the Heartbleed phishing message in official-sounding but somewhat stilted English. "A security patch was implemented for [the company website] earlier this week, and although we have no indication that our security certificates have been compromised, we have obtained new certificates for [the website]."

So far, so good. Heartbleed did indeed affect millions of Web and email servers, and in order to properly patch them, administrators would have to reissue security certificates that may have been compromised.

But then the email goes off the rails.

"[The company] has initiate backup security certificates 'Secure Sockets Layer (SSL)' and an Advanced Identity Theft Assistance Team," it says. "We recommend all [company] members to logon and register to the backup security certificates 'Secure Sockets Layer (SSL)' and the Advanced Identity Theft Assistance Team."

Not only is that painfully ungrammatical, but it makes no technical sense. Heartbleed does affect the SSL security protocol, but SSL is not a security certificate— it's like equating gasoline and license plates — nor does any end user need to "register" to "backup security certificates." The spammers seem to have picked phrases from Heartbleed news coverage and tossed them into an impressive-sounding word salad.

If the not-quite-there English skills and confusing logic don't alert you to the scam, then the next item should. The spammers have helpfully included a "Sign On" button, but it doesn't go to the website of the company involved. Instead, the Symantec team said, the link "actually points to a compromised Turkish manufacturing site."

Anyone who falls for the scam will be at grave risk of identity theft. Handing over the login credentials to an insurance-company online account gives the scammers access to the victim's name, address, birthdate, medical history and, probably, Social Security number. With such information, opening new banking, financial or insurance accounts in the victim's name would be a snap.

No one should ever click on a link embedded in an email message. It's just too easy for scammers to put malicious links in innocuous-seeming messages, even messages that seem to come from trusted companies, friends or colleagues.

Instead, type the purported link directly into your Web browser, or browse to the website of the company involved. Clients of the insurance company supposedly sending these email messages would quickly see that while there is a note on the company website about patching the site for Heartbleed, there's nothing about "registering to backup security certificates."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.