Vulnerabilities / Threats

11:30 PM
Jai Vijayan
Jai Vijayan
Sponsored Article
Connect Directly

CareerBuilder Attack Sends Malware-Rigged Resumes To Businesses

Attack displays 'simple elegance and brilliance,' security researcher say.

Some cyberattacks involve sophisticated malware and meticulous planning to pull off, while others, just a lot of smarts. Email security firm Proofpoint reported one attack Thursday that falls into the latter category: they describe it as a “clever email-based attack” involving the use of phishing and social engineering techniques to sneak malware into several businesses.

Basically, the modus operandi involves the threat actor simply browsing through open job positions on CareerBuilder’s online job search website and responding to some of them with a malicious document in Microsoft Word format titled “resume.doc” or “cv.doc.”

When a resume is submitted, CareerBuilder automatically sends a notification email to the company that posted the ad, along with the resume attached to it.

In this particular case, when the end-user opens the email and attempts to view the attachment, the document exploits a known vulnerability in Word to place a malicious binary on the user’s system. The binary then contacts a command and control server, which downloads and unzips a image file, which in turn drops a backdoor dubbed Sheldor on the victim’s computer, Proofpoint said in a blog post describing the attack.

The attack is manual and requires some time and effort compared to the automated malware tools out there. But what makes it effective is the fact that there is a much higher likelihood that emails containing the malicious attachments will be opened by those who receive it, Proofpoint said.

“Not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” the company said. And because of how resumes are typically circulated within an organization, there is a good chance the malicious attachment will be sent to hiring managers, interviewers, and other stakeholders within the company that posed the ad, the researchers said. “Taking advantage of this dynamic enables the attackers to move laterally through their target organization."

The attack campaign that Proofpoint discovered appeared fairly indiscriminate and included as its targets several retail stores, energy companies, broadcast companies, credit unions, and electrical supply firms.  The attackers seemed to focus on job positions in engineering and finance with titles such as “web developer” “business analyst,” and “middleware developer.”

Interestingly, the requirements listed in ads for such positions can reveal a lot about an organization’s technology infrastructure and actually help the perpetrator tailor attacks more effectively, Proofpoint said.

The email security vendor described the malware itself as using the Microsoft Word Intruder (MWI) service and exploiting a memory corruption vulnerability for Word Rich Text Format files. MWI is an exploit kit that provides among other things, a dropper for different types of malware tools.

The CareerBuilder campaign “has a simple elegance and brilliance that I can appreciate as a security professional,” said Brett Fernicola, chief information security officer at STEALTHbits Technologies. “You would think that a Word document designed to take advantage of a known exploit would trip some type of definition pattern, but in many cases it will not,” he says.

In this particular incident, the actual payload that is dropped on the victim’s computer once the attachment is opened, is likely to slip past defenses, because it is concealed in an image.

“Many automated detection systems (such as IDS and sandboxes) that monitor web and email traffic for malware are likely to ignore images,” Proofpoint said.  Similarly, humans are vulnerable to the same bias and are unlikely to suspect that the image file contains the malware they are trying to find.

Phishing continues to be a top attack vector simply because it is so effective, says Ken Westin, senior security analyst at Tripwire. “Attackers find creative ways to exploit our trust in brands we are familiar with either through making emails or websites [appearing] to be associated with the brand,” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/4/2015 | 2:02:12 PM
Re: An Open Book
I tip my cap to you...That's an extremely indepth process for interviews. But it just strengthens the point that by being thorough you can compile enough information to tip the scales in your favor whether it be for malicious or genuine intent.

Also, hope you got those jobs with that amount of proactive leg work...To not get them would be a gigantic let down.
User Rank: Ninja
5/4/2015 | 4:31:36 AM
An Open Book
An interesting point is raised here, that much is learned about a company's tech through the job requirements in role postings. This is in fact how I have generally prepared for interviews in the past. First, I found tech companies that had the most infrastructure information to be had from their job postings. I then created an architecture document based upon this information, a rough draft. Then I identified as many engineers and other technical staff as possible by full name, and tracked down their resumes, Twitter or similar social media accounts, and collected links of every forum any of these staff had asked questions, or mailing lists where a dialog was in progress regarding tech questions, etc.

From all this information, I could build a fairly complete document outlining the network and build infrastructure out of my initial rough draft, the languages and related tools used, and a geographical map of offices and datacenters. With all this information compiled, I then assembled prep materials - anything from datacenter hardware manuals to software tool handbooks. I wrote a 50-100 page run book with all the knowledge I wanted to make sure I had ready for accessing during the interview process and also had anecdotal data ready to present that was prompt material, or questions and stories that would reveal more information and answer questions for me through the interviewers rather than me having to answer the questions.

These are all techniques that can be used by malicious parties to prep for a custom coding session to better target victims, and even better compose emails that are most likely to put the the reader at ease long enough to deliver a payload.
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.