Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Attackers Used CareerBuilder to Send Malicious Resumes to Victims: Proofpoint

Researchers at Proofpoint recently identified a clever attack campaign involving

Researchers at Proofpoint recently identified a clever attack campaign involving

This is not the first time the CareerBuilder website has been used in a scheme to infect unsuspecting users. In 2013, researchers with Trusteer identified an attack using the job-hunting site to infect victims with the Zeus Trojan. This time, the attack utilized malicious Microsoft Word documents disguised as resumes.

“When a resume has been submitted to a listed job opening, the CareerBuilder service automatically generates a notification email to the job poster and attaches the document, which in this case is designed to deliver malware,” Proofpoint explained. “While this approach is more manual and requires more time and effort on the part of the attacker, the probability of the mail being delivered and opened is higher.”

“Rather than attempt to create a realistic lure, the attackers here have instead capitalized on the brand and service of a real site: the recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” the researchers added. “Moreover, because of the way that resumes are circulated within an organization, once the document has been received by the owner of the job listing (often “[email protected]<company name>”) it will be sent to the hiring manager, interviewers, and other stakeholders, who will open and read it as well. Taking advantage of this dynamic enables the attackers to move laterally through their target organization.”

The Office document is built using the Microsoft Word Intruder Service (MWI) and exploits a memory corruption vulnerability for Word RTF, according to Proofpoint.

“MWI is an underground crime service – already well documented – that builds CVE-weaponized dropper or downloader documents for any malware,” according to Proofpoint. “A seller with handle “Object” has been observed offering the service since May 31, 2013 on underground Russian forums for approximately US$2,000 to US$3,000.”

The malware dropped in the attack is a backdoor known as Sheldor.

TK Keanini, CTO of Lancope, said that the attack shows how cybercriminals are becoming less direct and more advanced.

“Attackers prey on the deterministic behaviors of systems where they can predict future action,” he said. “Before clicking on any attachment, users everywhere need to understand to what degree it is authentic and how well they know the originating source. The default should be to not trust any attachment. While the Internet connects you to great resources, it also connects you to crime.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.