kenzabukuro on Twittter

Heartbleed fallout: Expect more spam and phishing attempts

As if dealing with the Heartbleed exploit itself hasn't been bad enough, IT departments and personnel really need to gear up for the fallout about to hit them: At least a month of sustained avalanches of spam and phishing attempts.

Crisis is of course the seed of opportunity, and in the case of Heartbleed, that means opportunity for the bad guys. Heartbleed is a perfect storm for spammers, scammers, phishers and any other related Internet bottom-feeding scum. Why?

First of all, Heartbleed is not well understood by the public . Wait, let me take a step back: Explaining Heartbleed to developers and tech support staff is often difficult. Outside of Linux/Unix sysadmins, no one's really going to grasp the seriousness of this exploit at face value.

So you make it easy and boil it down for people: "You need to change your passwords and not use the same password on more than one site."

They ask, "Is Facebook ok?"

You say it is...probably.

They hear, "Everything is fine. Go home and have half a bottle of wine."

Secondly, in case it wasn't obvious from above, people hate changing their passswords . This is not the same as saying people are lazy. It's simply a fact of life. All of us are more likely to stick to a regimen of getting up at 5am every morning to go for a run than we are of changing our passwords every month.

Thirdly: "Is our antivirus up to date?"

Oh no. Antivirus isn't going to help you with this one . This isn't a virus.

"Then what are we paying for?"


See point one above. This is all part of Heartbleed being esoteric and difficult to understand, and probably has something to do with sysadmins having a hard time explaining it to non-technical staff.

So, let's say you're an Internet Bad Guy. Right now you know what people aren't doing: They aren't going home from work and updating their passwords. They also aren't setting different passwords for different sites and services, because, well, they're not updating their passwords to begin with.

"Excellent," you say, rubbing your hands together. "Time to go phishing." Because two things will happen over the next week to ten days: People will learn more about Heartbleed and people will forget about Heartbleed. Yes, at the same time (sigh...cognition state concurrency control is so complex in humans).

This is the perfect opportunity for Internet Bad Guys (and Girls!). In ten days to two weeks time, enough people will see a fake email that looks like something from their bank saying they must log in to update their password that they will fall for it. Or it could purport to be from any other service people use online. My bitcoin is on fake Netflix emails, because of the irony factor of watching Netflix while being Internet Bad Guyed by someone pretending to be Netflix.*

So, Internet Good Guys (and Girls!) - at least those of us getting paid to fight the scumbags who would prey off of people in situations like this - be ready for an onslaught of spam and phishing attempts in your workplace. Start talking about it and making people aware now. Make sure everything is up to date; this is a great opportunity to run a full software/hardware audit and request funds for that solid gold Watchguard firewall Santa forgot . Remember, if they lose information, you lose sleep. Be pro-active about protecting your sleep.

* I know that's not really irony.