Hacking is getting creative, and hackers are using every trick in the book to sneak malware into unsuspecting businesses. In this type of attack, the hacker browses open positions listed on CareerBuilder.com, a popular online job search and recruiting service, and attaches resumes to job postings as malicious documents in Microsoft Word format. In this specific case, Proofpoint researchers observed the hacker attaching a Word document named “resume.doc,” or “cv.doc.”
When a resume has been submitted to a listed job opening, the CareerBuilder service automatically generates a notification email to the job poster and attaches the document, which in this case is designed to deliver malware.
Commenting on the novelty of the attack, Proofpoint researchers say, “While this approach is more manual and requires more time and effort on the part of the attacker, the probability of the mail being delivered and opened is higher. Rather than attempt to create a realistic lure, the attackers here have instead capitalized on the brand and service of a real site: the recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient. Moreover, because of the way that resumes are circulated within an organization, once the document has been received by the owner of the job listing (often “hr@<company name>”) it will be sent to the hiring manager, interviewers, and other stakeholders, who will open and read it as well. Taking advantage of this dynamic enables the attackers to move laterally through their target organization.”
When the end-user opens the email and attempts to view the attachment, the document exploits a known Word vulnerability to place a malicious binary that downloads and unzips an image file, which in turn drops a rootkit on the victim’s computer.
“This inventive combination of effective delivery with a very stealthy infection routine enables attackers to evade automated defenses and fool skeptical end-users. Instead of a new employee, the victim organizations welcome a dangerous piece of malware. Moreover, it is important to note that job search services are themselves also victims in this attack because they are being exploited to deliver malicious attachments that bypass organizations’ existing defenses and even user training,” says Proofpoint.
While Proofpoint has contacted CareerBuilder to alert them to this threat, and the portal too has taken prompt action to address the issue, all job search websites are certainly susceptible and must be aware to the same issue of being used as a proxy for delivering malicious attachments.
The researchers recommend that owners of career websites that accept resumes in any format, whether PDF or Microsoft Word should always assume the content may be malicious and perform scanning prior to forwarding them to any customer.