The current shortage of qualified IT security professionals is affecting organizations across the United States, but now it seems that criminals are taking advantage of the booming job market in a new way: Proofpoint reports that cyber criminals have been infecting businesses with malware through fake job applications.
Combining “phishing and social engineering techniques in order to trick users into opening a malicious document”, criminals have been uploading infected files to online job site CareerBuilder.com, which exploit “a memory corruption vulnerability for Word RTF (such as CVE-2014-1761, CVE-2012-0158, and others).”
It may seem a labor-intensive way of attacking organizations, but because of this approach the “probability of the mail being delivered and opened is higher”. As Proofpoint notes, “recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient. Moreover, because of the way that resumes are circulated within an organization, once the document has been received by the owner of the job listing (often “hr@<company name>”) it will be sent to the hiring manager, interviewers, and other stakeholders, who will open and read it as well. Taking advantage of this dynamic enables the attackers to move laterally through their target organization.”
Having been alerted by Proofpoint, CareerBuilder “took prompt action to address the issue”, but other recruitment sites could still be vulnerable. We recommend you exercise caution when opening attachments from unknown sources – especially if you’re recruiting. Once infected with malware, organizations are at significant risk of data breach, or wider compromise.