Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cybercriminals Use Zeus Trojan to Target Job Seekers With Mule Recruitment Ads

Researchers at Trusteer say they have found a version of Zeus using man-in-the-browser techniques to present visitors to job-hunting site CareerBuilder.com with an ad they’d probably best ignore – a listing for a mule recruitment site.

Researchers at Trusteer say they have found a version of Zeus using man-in-the-browser techniques to present visitors to job-hunting site CareerBuilder.com with an ad they’d probably best ignore – a listing for a mule recruitment site.

Trusteer offered no information about how the victims were initially getting infected with Zeus. However, a common infection vector for Zeus is a drive-by infection on a compromised site.

“While HTML injection is typically used for adding data fields or to present bogus messages, in this case we witnessed a rare usage that attempts to divert the victim to a fake job offering,” blogged Etay Maor, fraud prevention solutions provider at Trusteer. “Because this redirection occurs when the victim is actively pursuing a job, in this case with CareerBuilder [dot] com, the victim is more likely to believe the redirection is to a legitimate job opportunity.” 

It is hardly unheard of for cybercriminals to use legitimate employment websites to recruit mules. Typically, Maor explained, this would take the form of criminals creating a job opening looking for financial managers.

“The ads would include enticing descriptions of easy money from simple “work-at-home” jobs, luring job seekers to contact the “employer” to unknowingly serve as the money laundering component of a cybercrime gang,” the researcher blogged.

Just this week, federal authorities in the U.S. charged eight people for being part of a money laundering operation that was involved in the attempted theft of $15 million from banking customers in the U.S.

Recognizing their sites can be abused for recruiting mules for these kinds of operations, employment websites have taken to offering easy ways for users to report suspicious ads, Maor continued. In addition, affected sites have created security teams that use a combination of manual and automatic search techniques to detect and remove such ads.

“Malware authors, on the other hand, recognize that job seekers who actively access employment websites have a high potential to be successfully recruited and serve as money mules,” Maor observed.

“By using CareerBuilder as a platform, the Zeus operators maximize their outreach to potential mule targets,” he added.

Related: Inside the Mule Network

Related: How Banks Can Identify Mule Accounts as They are Opened

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.