Researchers at Proofpoint recently identified a clever attack campaign involving CareerBuilder.com.
This is not the first time the CareerBuilder website has been used in a scheme to infect unsuspecting users. In 2013, researchers with Trusteer identified an attack using the job-hunting site to infect victims with the Zeus Trojan. This time, the attack utilized malicious Microsoft Word documents disguised as resumes.
“When a resume has been submitted to a listed job opening, the CareerBuilder service automatically generates a notification email to the job poster and attaches the document, which in this case is designed to deliver malware,” Proofpoint explained. “While this approach is more manual and requires more time and effort on the part of the attacker, the probability of the mail being delivered and opened is higher.”
“Rather than attempt to create a realistic lure, the attackers here have instead capitalized on the brand and service of a real site: the recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” the researchers added. “Moreover, because of the way that resumes are circulated within an organization, once the document has been received by the owner of the job listing (often “hr@<company name>”) it will be sent to the hiring manager, interviewers, and other stakeholders, who will open and read it as well. Taking advantage of this dynamic enables the attackers to move laterally through their target organization.”
The Office document is built using the Microsoft Word Intruder Service (MWI) and exploits a memory corruption vulnerability for Word RTF, according to Proofpoint.
“MWI is an underground crime service – already well documented – that builds CVE-weaponized dropper or downloader documents for any malware,” according to Proofpoint. “A seller with handle “Object” has been observed offering the service since May 31, 2013 on underground Russian forums for approximately US$2,000 to US$3,000.”
The malware dropped in the attack is a backdoor known as Sheldor.
TK Keanini, CTO of Lancope, said that the attack shows how cybercriminals are becoming less direct and more advanced.
“Attackers prey on the deterministic behaviors of systems where they can predict future action,” he said. “Before clicking on any attachment, users everywhere need to understand to what degree it is authentic and how well they know the originating source. The default should be to not trust any attachment. While the Internet connects you to great resources, it also connects you to crime.”