Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:30 PM
Jai Vijayan
Jai Vijayan
Sponsored Article
Connect Directly

CareerBuilder Attack Sends Malware-Rigged Resumes To Businesses

Attack displays 'simple elegance and brilliance,' security researcher say.

Some cyberattacks involve sophisticated malware and meticulous planning to pull off, while others, just a lot of smarts. Email security firm Proofpoint reported one attack Thursday that falls into the latter category: they describe it as a “clever email-based attack” involving the use of phishing and social engineering techniques to sneak malware into several businesses.

Basically, the modus operandi involves the threat actor simply browsing through open job positions on CareerBuilder’s online job search website and responding to some of them with a malicious document in Microsoft Word format titled “resume.doc” or “cv.doc.”

When a resume is submitted, CareerBuilder automatically sends a notification email to the company that posted the ad, along with the resume attached to it.

In this particular case, when the end-user opens the email and attempts to view the attachment, the document exploits a known vulnerability in Word to place a malicious binary on the user’s system. The binary then contacts a command and control server, which downloads and unzips a image file, which in turn drops a backdoor dubbed Sheldor on the victim’s computer, Proofpoint said in a blog post describing the attack.

The attack is manual and requires some time and effort compared to the automated malware tools out there. But what makes it effective is the fact that there is a much higher likelihood that emails containing the malicious attachments will be opened by those who receive it, Proofpoint said.

“Not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” the company said. And because of how resumes are typically circulated within an organization, there is a good chance the malicious attachment will be sent to hiring managers, interviewers, and other stakeholders within the company that posed the ad, the researchers said. “Taking advantage of this dynamic enables the attackers to move laterally through their target organization."

The attack campaign that Proofpoint discovered appeared fairly indiscriminate and included as its targets several retail stores, energy companies, broadcast companies, credit unions, and electrical supply firms.  The attackers seemed to focus on job positions in engineering and finance with titles such as “web developer” “business analyst,” and “middleware developer.”

Interestingly, the requirements listed in ads for such positions can reveal a lot about an organization’s technology infrastructure and actually help the perpetrator tailor attacks more effectively, Proofpoint said.

The email security vendor described the malware itself as using the Microsoft Word Intruder (MWI) service and exploiting a memory corruption vulnerability for Word Rich Text Format files. MWI is an exploit kit that provides among other things, a dropper for different types of malware tools.

The CareerBuilder campaign “has a simple elegance and brilliance that I can appreciate as a security professional,” said Brett Fernicola, chief information security officer at STEALTHbits Technologies. “You would think that a Word document designed to take advantage of a known exploit would trip some type of definition pattern, but in many cases it will not,” he says.

In this particular incident, the actual payload that is dropped on the victim’s computer once the attachment is opened, is likely to slip past defenses, because it is concealed in an image.

“Many automated detection systems (such as IDS and sandboxes) that monitor web and email traffic for malware are likely to ignore images,” Proofpoint said.  Similarly, humans are vulnerable to the same bias and are unlikely to suspect that the image file contains the malware they are trying to find.

Phishing continues to be a top attack vector simply because it is so effective, says Ken Westin, senior security analyst at Tripwire. “Attackers find creative ways to exploit our trust in brands we are familiar with either through making emails or websites [appearing] to be associated with the brand,” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/4/2015 | 2:02:12 PM
Re: An Open Book
I tip my cap to you...That's an extremely indepth process for interviews. But it just strengthens the point that by being thorough you can compile enough information to tip the scales in your favor whether it be for malicious or genuine intent.

Also, hope you got those jobs with that amount of proactive leg work...To not get them would be a gigantic let down.
Christian Bryant
Christian Bryant,
User Rank: Ninja
5/4/2015 | 4:31:36 AM
An Open Book
An interesting point is raised here, that much is learned about a company's tech through the job requirements in role postings. This is in fact how I have generally prepared for interviews in the past. First, I found tech companies that had the most infrastructure information to be had from their job postings. I then created an architecture document based upon this information, a rough draft. Then I identified as many engineers and other technical staff as possible by full name, and tracked down their resumes, Twitter or similar social media accounts, and collected links of every forum any of these staff had asked questions, or mailing lists where a dialog was in progress regarding tech questions, etc.

From all this information, I could build a fairly complete document outlining the network and build infrastructure out of my initial rough draft, the languages and related tools used, and a geographical map of offices and datacenters. With all this information compiled, I then assembled prep materials - anything from datacenter hardware manuals to software tool handbooks. I wrote a 50-100 page run book with all the knowledge I wanted to make sure I had ready for accessing during the interview process and also had anecdotal data ready to present that was prompt material, or questions and stories that would reveal more information and answer questions for me through the interviewers rather than me having to answer the questions.

These are all techniques that can be used by malicious parties to prep for a custom coding session to better target victims, and even better compose emails that are most likely to put the the reader at ease long enough to deliver a payload.
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.