Skip navigation

Duo Security is now a part of Cisco

About Cisco

Industry News

Malicious Emails Deliver Malware via Job Recruiting Site

Phishing, malware, hacking attempts and social engineering are some of the most successful types of attacks breaching enterprise networks, according to a 2015 State of Cybersecurity report (PDF). An ISACA and RSA Conference Survey found that “many of the most prevalent successful attack types hinge on the human factor.”

A recent report from Proofpoint security researchers found that attackers are sending malware to organizations via recruiting services, which may target Human Resource (HR) departments. Attackers are leveraging CareerBuilder.com, an online job search and recruiting service in order to send malicious attachments via email.

The attacker attaches malicious Microsoft Word documents (pretending to be resumes) to job postings. Since CareerBuilder sends automatic notification emails every time a resume is submitted to a job opening, the malicious document is sent to the job poster.

Proofpoint notes that although it isn’t an automated way of sending malware, it is more likely that job posters will open the documents as they come from a trusted source (CareerBuilder) and appear to be a credible document. A handful of targets include retail stores, energy companies, broadcast companies, credit unions and electrical suppliers.

After a victim opens the attachment, it exploits a known memory corruption vulnerability for Word RTF in order to open a connection to their command and control server, downloading a payload executable.

Malware (a Sheldor backdoor) contained within a zipped image/archive file is extracted - effectively avoiding detection by intrusion detection systems (IDS) and sandboxes, since these monitoring systems typically ignore image files. The malware can download programs on a victim’s computer, as well as steal data.

In another phishing campaign waged late last year, attackers hit JPMorgan Chase customers with more than 150,000 emails in attempts to steal credentials, also reported by Proofpoint. Spoofed pages redirected users via a malicious iframe, exploiting vulnerabilities found in Microsoft’s Internet Explorer, Silverlight, Adobe Flash and Java.

This campaign would install the credential-harvesting Trojan Dyre on victims’ machines in a variety of ways, including via PDFs and zip attachments. By stealing passwords, attackers could log into different banking accounts and steal money.

Another more recent phishing scam targeted Anthem Blue Cross Blue Shield customers. Emails with a link that urges “Click Here to Get Your Free Year of Credit Protection” were sent out, with links to spoofed sites, stealing login credentials and downloading malware.

All of these phishing campaigns, intent on stealing passwords, can put your business and personal accounts at risk. By using two-factor authentication, enterprises can protect their employee accounts, regardless of attacks via job recruiting, financial or healthcare services. A comprehensive access security solution gives administrators the ability to set precise policies and controls based on the user’s location and type of application they’re accessing. By requiring the use of two-factor authentication, you can secure your company against a possible data breach.