Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Attackers Used CareerBuilder to Send Malicious Resumes to Victims: Proofpoint

Researchers at Proofpoint recently identified a clever attack campaign involving CareerBuilder.com.

Researchers at Proofpoint recently identified a clever attack campaign involving CareerBuilder.com.

This is not the first time the CareerBuilder website has been used in a scheme to infect unsuspecting users. In 2013, researchers with Trusteer identified an attack using the job-hunting site to infect victims with the Zeus Trojan. This time, the attack utilized malicious Microsoft Word documents disguised as resumes.

“When a resume has been submitted to a listed job opening, the CareerBuilder service automatically generates a notification email to the job poster and attaches the document, which in this case is designed to deliver malware,” Proofpoint explained. “While this approach is more manual and requires more time and effort on the part of the attacker, the probability of the mail being delivered and opened is higher.”

“Rather than attempt to create a realistic lure, the attackers here have instead capitalized on the brand and service of a real site: the recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” the researchers added. “Moreover, because of the way that resumes are circulated within an organization, once the document has been received by the owner of the job listing (often “hr@<company name>”) it will be sent to the hiring manager, interviewers, and other stakeholders, who will open and read it as well. Taking advantage of this dynamic enables the attackers to move laterally through their target organization.”

The Office document is built using the Microsoft Word Intruder Service (MWI) and exploits a memory corruption vulnerability for Word RTF, according to Proofpoint.

“MWI is an underground crime service – already well documented – that builds CVE-weaponized dropper or downloader documents for any malware,” according to Proofpoint. “A seller with handle “Object” has been observed offering the service since May 31, 2013 on underground Russian forums for approximately US$2,000 to US$3,000.”

The malware dropped in the attack is a backdoor known as Sheldor.

TK Keanini, CTO of Lancope, said that the attack shows how cybercriminals are becoming less direct and more advanced.

Advertisement. Scroll to continue reading.

“Attackers prey on the deterministic behaviors of systems where they can predict future action,” he said. “Before clicking on any attachment, users everywhere need to understand to what degree it is authentic and how well they know the originating source. The default should be to not trust any attachment. While the Internet connects you to great resources, it also connects you to crime.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.