Vulnerabilities / Threats

4/30/2015
11:30 PM
Jai Vijayan
Jai Vijayan
Sponsored Article
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

CareerBuilder Attack Sends Malware-Rigged Resumes To Businesses

Attack displays 'simple elegance and brilliance,' security researcher say.

Some cyberattacks involve sophisticated malware and meticulous planning to pull off, while others, just a lot of smarts. Email security firm Proofpoint reported one attack Thursday that falls into the latter category: they describe it as a “clever email-based attack” involving the use of phishing and social engineering techniques to sneak malware into several businesses.

Basically, the modus operandi involves the threat actor simply browsing through open job positions on CareerBuilder’s online job search website and responding to some of them with a malicious document in Microsoft Word format titled “resume.doc” or “cv.doc.”

When a resume is submitted, CareerBuilder automatically sends a notification email to the company that posted the ad, along with the resume attached to it.

In this particular case, when the end-user opens the email and attempts to view the attachment, the document exploits a known vulnerability in Word to place a malicious binary on the user’s system. The binary then contacts a command and control server, which downloads and unzips a image file, which in turn drops a backdoor dubbed Sheldor on the victim’s computer, Proofpoint said in a blog post describing the attack.

The attack is manual and requires some time and effort compared to the automated malware tools out there. But what makes it effective is the fact that there is a much higher likelihood that emails containing the malicious attachments will be opened by those who receive it, Proofpoint said.

“Not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” the company said. And because of how resumes are typically circulated within an organization, there is a good chance the malicious attachment will be sent to hiring managers, interviewers, and other stakeholders within the company that posed the ad, the researchers said. “Taking advantage of this dynamic enables the attackers to move laterally through their target organization."

The attack campaign that Proofpoint discovered appeared fairly indiscriminate and included as its targets several retail stores, energy companies, broadcast companies, credit unions, and electrical supply firms.  The attackers seemed to focus on job positions in engineering and finance with titles such as “web developer” “business analyst,” and “middleware developer.”

Interestingly, the requirements listed in ads for such positions can reveal a lot about an organization’s technology infrastructure and actually help the perpetrator tailor attacks more effectively, Proofpoint said.

The email security vendor described the malware itself as using the Microsoft Word Intruder (MWI) service and exploiting a memory corruption vulnerability for Word Rich Text Format files. MWI is an exploit kit that provides among other things, a dropper for different types of malware tools.

The CareerBuilder campaign “has a simple elegance and brilliance that I can appreciate as a security professional,” said Brett Fernicola, chief information security officer at STEALTHbits Technologies. “You would think that a Word document designed to take advantage of a known exploit would trip some type of definition pattern, but in many cases it will not,” he says.

In this particular incident, the actual payload that is dropped on the victim’s computer once the attachment is opened, is likely to slip past defenses, because it is concealed in an image.

“Many automated detection systems (such as IDS and sandboxes) that monitor web and email traffic for malware are likely to ignore images,” Proofpoint said.  Similarly, humans are vulnerable to the same bias and are unlikely to suspect that the image file contains the malware they are trying to find.

Phishing continues to be a top attack vector simply because it is so effective, says Ken Westin, senior security analyst at Tripwire. “Attackers find creative ways to exploit our trust in brands we are familiar with either through making emails or websites [appearing] to be associated with the brand,” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
5/4/2015 | 2:02:12 PM
Re: An Open Book
I tip my cap to you...That's an extremely indepth process for interviews. But it just strengthens the point that by being thorough you can compile enough information to tip the scales in your favor whether it be for malicious or genuine intent.


Also, hope you got those jobs with that amount of proactive leg work...To not get them would be a gigantic let down.
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
5/4/2015 | 4:31:36 AM
An Open Book
An interesting point is raised here, that much is learned about a company's tech through the job requirements in role postings. This is in fact how I have generally prepared for interviews in the past. First, I found tech companies that had the most infrastructure information to be had from their job postings. I then created an architecture document based upon this information, a rough draft. Then I identified as many engineers and other technical staff as possible by full name, and tracked down their resumes, Twitter or similar social media accounts, and collected links of every forum any of these staff had asked questions, or mailing lists where a dialog was in progress regarding tech questions, etc.

From all this information, I could build a fairly complete document outlining the network and build infrastructure out of my initial rough draft, the languages and related tools used, and a geographical map of offices and datacenters. With all this information compiled, I then assembled prep materials - anything from datacenter hardware manuals to software tool handbooks. I wrote a 50-100 page run book with all the knowledge I wanted to make sure I had ready for accessing during the interview process and also had anecdotal data ready to present that was prompt material, or questions and stories that would reveal more information and answer questions for me through the interviewers rather than me having to answer the questions.

These are all techniques that can be used by malicious parties to prep for a custom coding session to better target victims, and even better compose emails that are most likely to put the the reader at ease long enough to deliver a payload.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11350
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.
CVE-2019-11351
PUBLISHED: 2019-04-19
TeamSpeak 3 Client before 3.2.5 allows remote code execution in the Qt framework.
CVE-2019-2039
PUBLISHED: 2019-04-19
In rw_i93_sm_detect_ndef of rw_i93.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1...
CVE-2019-2040
PUBLISHED: 2019-04-19
In rw_i93_process_ext_sys_info of rw_i93.cc, there is a possible out-of-bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-9. Androi...
CVE-2019-2041
PUBLISHED: 2019-04-19
In the configuration of NFC modules on certain devices, there is a possible failure to distinguish individual devices due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Produc...