Since news about Heartbleed broke out earlier this month, the Internet has been full of updates, opinions and details about the vulnerability, with personalities ranging from security experts to celebrities talking about it. Being as opportunistic as they are, cybercriminals have taken notice of this and turned the furor surrounding Heartbleed into lure for a spam attack.

Figure 1. Heartbleed spam

The spammed mail is a simple-looking one, as far as spam goes. The body is plain text, notifying the user about the ‘big security concern on the internet’ that is Heartbleed and gives advice as well as a link to an alleged CNN report about the matter. The spam purports itself to be from an individual named ‘Dexter’ who appears to reside in Riyadh, Saudi Arabia.

The link doesn’t lead to the CNN website at all, or any website in its domain. As with all spammed links, it leads to a different URL that, as of this moment, seems to have been taken down or rendered inaccessible. Of course, it’s a good bet that it was malicious in the first place.

Cybercriminals are ready and willing to use all newsworthy topics for their social engineering schemes, including big security incidents/advisories. With the Heartbleed Bug being as big and as serious a security issue can get – not only does it affect some of the most popular websites on the Web today, but can also strike from mobile apps as well – users need to anticipate that threats may strike in a way that they never really expect.

Always be vigilant, alert and skeptical – especially when it comes to what you get in your e-mail. It may be a spammed mail you’re looking at. Clicking links in email is generally not a good idea; it’s more secure to go directly to the relevant site instead.

Trend Micro customers are of course defended against this particular attack, with the spammed mail and the URL blocked.

As for Heartbleed itself, we’ve released some tools you can use to protect yourself against this threat – namely our Trend Micro Heartbleed Detector App for Android (which notifies you of vulnerable apps and uninstalls them for you) and our Trend Micro OpenSSL Heartbleed Scanner App for Chrome (which checks specific sites for Heartbleed vulnerability). We’ve also got our Trend Micro Heartbleed Detector Website if you wish to use that instead.

Facebook users are once again the target of a malicious scheme—this time in the form of a notification about “Facebook Chat”.

The spammed notification pretends to come from the “official Facebook Chat Team.” A notification shows users of a tagged comment to a Facebook Note containing a fake announcement about a Facebook Chat verification requirement.

Figure 1. Facebook Chat verification notification

The spam tries to sound urgent to convince users to verify their accounts. To do so, they are first asked to to go to a Pastebin URL and are instructed to copy a specific code. The set of instructions differ depending on what browser is being used (Google Chrome, Mozilla Firefox, or Internet Explorer).

Users are then directed to a shortened link and are asked to press a particular function key (F12 for Google Chrome users, for example).  After clicking on the console tab, users are supposed to paste the provided Javascript code into the address bar, then press Enter. This actually gives bad guys access to the user’s account, giving them the capability to auto-tag anyone in the users’ friends list and start the cycle of victimizing other account users.

Figure 2. Console where the Javascript code is supposed to be entered

From the get-go, users should know that there is no product called “Facebook Chat,” let alone a team that sends out a supposed “advisory” to its users. The social media site’s official instant messaging feature is called Facebook Messenger, which also the name of its stand-alone app. Earlier this month, Facebook announced that Android and iOS users will be required use this stand-alone app by eliminating the chat features of the traditional app versions of the site.

Facebook has taken action against threats like this by releasing an official announcement.  The official Facebook warning notes, “This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things.”

In 2013, a mobile phishing page disguised as a legitimate Facebook mobile page has been used to victimize users by stealing their credit card details. In the same year, the Facebook Security Check page has been spoofed by phishers leading to a number of stolen account credentials.

Protecting your online accounts from different threats requires constant vigilance. Always check and verify links that are sent your way, even if they come from a friend or contact. In the same light, sift through the number of contacts you add to your network and only add those you know personally to minimize risks of compromising your accounts and harming your computer.