As Internet users worldwide race to guard their computers against the potentially devastating Heartbleed security breach, criminals are moving just as quickly to exploit it.
On Tuesday, a Canadian man became the first person to be arrested for using Heartbleed to steal sensitive personal data.
And on Friday, the computer security firm Mandiant reported that Heartbleed was used by an online criminal to hack one of its clients’ computers.
Christopher Glyer, technical director of Mandiant in Alexandria, Va., said that ever since news of the Heartbleed bug was made public on April 7, would-be digital thieves have mounted a relentless effort to take advantage of it.
“We see lots of different attackers trying to scan large swaths of the Internet looking for servers that are vulnerable to this,” Glyer said.
Heartbleed is a bug found in OpenSSL, a vital Internet program that encrypts the communications between computers. OpenSSL is used on millions of machines to ensure that sensitive data, such as credit card and bank account numbers, can be transmitted safely over the Internet.
But an error in a 2012 upgrade of the program exposed unencrypted information from a computer’s memory.
For instance, an online criminal could use the bug to infiltrate a server at an online retailer and scoop up customers’ passwords and financial data.
Internet security analysts warned that Heartbleed was one of the worst Internet security flaws ever discovered, and major companies have moved quickly to repair their computers.
But those very warnings set off a scramble by criminals looking to cash in on Heartbleed while many computers are still vulnerable. “There’s a whole lot of attacks that may have happened in the last week,” Glyer said.
The Royal Canadian Mounted Police on Tuesday arrested 19-year-old Stephen Arthuro Solis-Reyes of London, Ontario, for allegedly stealing personal information of about 900 people from the website of the Canadian Revenue Agency, the country’s equivalent of the Internal Revenue Service. In addition, the BBC reported that the British parenting website Mumsnet was hit by a Heartbleed attack last week, in which personal information from about 30 members was stolen.
Even though the bug is now well understood and a repair patch is readily available, the risk of Heartbleed attacks will linger for a long time.
“Patching isn’t always a straightforward as it sounds,” said Trey Ford, global security strategist at Rapid7 Inc., a network security firm in Boston. For instance, many large companies don’t know how many of their network servers are affected. Taking an inventory will take time, and “there is a likelihood that some service might be missed,” Ford said.
Besides, servers must be patched with care, because changing one piece of software might cause another program to malfunction.
So a patched server may have to be tested before going back online. “It’s not a trivial undertaking,” Glyer said.
Meanwhile, Ford predicted that consumers will see a flood of Heartbleed-related phishing attacks.
Criminals may send millions of e-mails, supposedly offering protection from the Heartbleed threat. But clicking a link or opening a file attached to the e-mail could actually infect the recipient’s computer with malware.
Ford urged consumers to refrain from opening such messages. Instead, they should protect themselves by changing their Internet passwords, in case their current ones have already been compromised.