Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Attackers Used CareerBuilder to Send Malicious Resumes to Victims: Proofpoint

Researchers at Proofpoint recently identified a clever attack campaign involving CareerBuilder.com.

Researchers at Proofpoint recently identified a clever attack campaign involving CareerBuilder.com.

This is not the first time the CareerBuilder website has been used in a scheme to infect unsuspecting users. In 2013, researchers with Trusteer identified an attack using the job-hunting site to infect victims with the Zeus Trojan. This time, the attack utilized malicious Microsoft Word documents disguised as resumes.

“When a resume has been submitted to a listed job opening, the CareerBuilder service automatically generates a notification email to the job poster and attaches the document, which in this case is designed to deliver malware,” Proofpoint explained. “While this approach is more manual and requires more time and effort on the part of the attacker, the probability of the mail being delivered and opened is higher.”

“Rather than attempt to create a realistic lure, the attackers here have instead capitalized on the brand and service of a real site: the recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” the researchers added. “Moreover, because of the way that resumes are circulated within an organization, once the document has been received by the owner of the job listing (often “hr@<company name>”) it will be sent to the hiring manager, interviewers, and other stakeholders, who will open and read it as well. Taking advantage of this dynamic enables the attackers to move laterally through their target organization.”

The Office document is built using the Microsoft Word Intruder Service (MWI) and exploits a memory corruption vulnerability for Word RTF, according to Proofpoint.

“MWI is an underground crime service – already well documented – that builds CVE-weaponized dropper or downloader documents for any malware,” according to Proofpoint. “A seller with handle “Object” has been observed offering the service since May 31, 2013 on underground Russian forums for approximately US$2,000 to US$3,000.”

Advertisement. Scroll to continue reading.

The malware dropped in the attack is a backdoor known as Sheldor.

TK Keanini, CTO of Lancope, said that the attack shows how cybercriminals are becoming less direct and more advanced.

“Attackers prey on the deterministic behaviors of systems where they can predict future action,” he said. “Before clicking on any attachment, users everywhere need to understand to what degree it is authentic and how well they know the originating source. The default should be to not trust any attachment. While the Internet connects you to great resources, it also connects you to crime.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

N-able has appointed Russell Rosa as Chief Revenue Officer.

Stacy O'Mara has joined Armadin as Chief Policy Officer and Director of Global Government Affairs.

F5 has appointed Cathy Peterman as Chief People Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.