Attackers are actively leveraging the Heartbleed vulnerability as part of spam campaigns and security specialist Symantec is warning about the dangers of the latest spam campaign, which plays on users’ fear of Heartbleed by masquerading as an attempt to help users secure themselves from the security flaw.
The Heartbleed encryption flaw, publicly disclosed April 7, is technically identified as CVE-2014-0160 and referred to as a “Transport Layer Security (TLS) Heartbeat read overrun” vulnerability. The Heartbleed flaw affects the open-source OpenSSL cryptographic library, which is widely used on servers and end-user devices for Secure Sockets Layer (SSL) encryption.
The new Heartbleed spam campaign is not the first spam campaign that takes advantage of the Heartbleed bug, Symantec Security Response Manager Satnam Narang told eWEEK. “However, this may be the first spam campaign that has a fake and malicious removal tool as an attachment,” he said.
The new Heartbleed spam campaign includes malware that Symantec identifies as Trojan.Dropper and Infostealer. The malware included in the new Heartbleed spam campaign has been known to Symantec for years and existing antivirus technology is already able to detect and block the exploits. The spam campaign includes the malware as an attachment titled “heartbleedbugremovaltool.exe.”
Symantec is currently only seeing a small volume of this particular spam campaign targeting users, Narang said. “However, this could be more widespread in the wild,” he said.
As to how the email addresses for the spam campaign were collected, Narang said that the recipients of the emails look to be just gathered from generic harvesting.
“One thing that can be noted is that we do see that most of the recipients belong to enterprise companies, but a search on the Internet will reveal these email addresses are either on a Website somewhere or in a list that can be bought by spammers,” Narang added.
At this point, the Heartbleed flaw has been known for more than a month although there are indications that hundreds of thousands of sites might still be at risk.
From Symantec’s perspective, vigilance remains the best course of action for dealing with technology security. “We believe many servers and Websites have been updated for Heartbleed, but users should not put their guard down as Heartbleed is only one of many vulnerabilities,” Narang said. “Systems that are patched for Heartbleed are not immune to other compromised attempts that result in data leaks.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.