If your company advertises job positions on CareerBuilder, the resumes and CVs you get from candidates may be decoys filled with malware.
According to Trend Micro, security researchers caught attackers responding to job ads on CareerBuilder. They created legitimate-looking profiles, attached resumes containing malware and sent the infected documents to potential employers.
This is an issue for multiple reasons. Not only does it waste your valuable time looking for legitimate job candidates, but it poses a security risk to your business. Here's how this is happening, and how to keep your business safe.
Microsoft Word Malware
Malware sent through Microsoft Word documents isn’t a new phenomenon. Last fall, attackers circulated a malicious code called Dridex, which was embedded in macros within Word documents. Most PCs don’t run macros by default because of their past use as virus carriers, but the email message with the infected Word attachment encouraged recipients to authorize their computers to run the macros.
Once the macros ran, the Dridex malware downloaded onto the victim’s hard drive, where it waited until the victim visited a banking website. Instead of seeing a legitimate banking website, customers with infected computers saw a spoof website designed to mimic the banking site.
When they entered their information, such as usernames, passwords, Social Security numbers and account numbers into the fake Web fields, attackers collected the information. Attackers then either sold the information on the black market or used it themselves to empty the customer’s bank account.
Related Article: You Had an Ongoing Data Breach for Months. How Could You Not Know?
The CareerBuilder Case: How MWI Works
The CareerBuilder attackers created their documents using Microsoft Word Intruder (MWI), a malware creation tool that sells for between $2,000 and $3,000 on the black market. MWI exploits a known Word RTF file vulnerability to create a dropper for malware.
Once employers open infected resumes, the documents drop malicious binaries onto recipients’ hard drives. Once there, the files call out to a remote command and control (C&C) server. The C&C server responds by sending a zipped image file containing a rootkit called Sheldor, which prompts the recipient’s computer and the C&C server to contact the same cloud endpoint. Once both computers connect, a remote attacker takes control of a user’s computer.
Unlike the attackers who launched Dridex, the CareerBuilder attackers didn’t aim their resume malware at individual consumers. They aimed for companies advertising for job titles like “Web developer” in engineering and finance departments. Recipients not only downloaded the infected resume but also forwarded it throughout the company.
As a result, attackers gained multiple footholds within the targeted companies’ networks. The users who downloaded the malware gave attackers their network and file access privileges.
It’s not a time-efficient attack. Responding to individual job ads requires a big time commitment from attackers. Even so, the highly targeted approach got better open rates for their infected emails, which gave attackers a better chance of infiltrating employer IT networks.
What to Do
Unless you’ve created a macro yourself within a Microsoft Office document, always stick to Office’s default security features and avoid enabling macros. You might make exceptions for a document from someone you know regarding a familiar project, but if you can’t pick up the phone and call someone to ask about the document, don’t enable the macro.
Choose More Secure Job Posting Sites
Delivering resumes in the form of an email attachment seems like an old way of doing things in the world of cloud technology. From now on, post your open positions on a site that uploads resumes to a cloud portal instead of forwarding them directly to you. When someone answers a job ad, you receive a link to the document.
You then login to the portal to review resumes, where the latest cloud security tools for servers will scan documents for malware and keep your computer and network safe.
Some people assume that switching resumes from .doc or .docx format to PDF format will solve the problem. Unfortunately, PDFs have also served as vehicles for malware, so you’re better off just choosing a job posting site that doesn’t email resumes to you as attachments.
Related Article: Cloud Security: How to Protect Your Business from Data Leaks
Protect Your Business
Most employers know not to open an email attachment from unknown senders, but an email responding to a job post is a message that employers want to receive. CareerBuilder responded promptly to remove the threat and will hopefully re-examine resume delivery. In the interim, keep your computer and network safe by:
- Using an antivirus solution that scans email attachments for malware
- Placing ads on job sites like CareerBuilder, but only collecting resumes in the company’s secure HR portal instead of through the job site
- Not authorizing your computer to run macros from any email attachments
- Using alternative methods for screening candidates, such as reviewing LinkedIn profiles or using digital screening interviews
- Establishing network security solutions to scan inactive files for malware and sandbox suspicious documents
Unfortunately, attackers are all too good at wrapping malware in enticing, legitimate-looking packages—such as an email from a highly respected job posting site. Attackers will keep using MWI to create infected Word documents until Microsoft fixes Word’s RTF vulnerability. Until then, avoid enabling macros when you receive emailed documents, including job resumes.