Researchers at security-as-a-service firm Proofpoint have reportedly discovered a phishing campaign which infected job seekers with malware via the online job search website, CareerBuilder.
In the attack, malicious Word documents with vague titles such as “resume.doc” and “cv.doc” were being attached to automated emails sent through CareerBuilder to employers.
When the employer opens the automatic email from CareerBuilder to view the attached file the document plays on a known Word vulnerability to sneak a malicious code onto the victim’s computer. The code then communicates with a command and control server, which then downloads and unzips an image file, ushering a backdoor named Sheldor onto the end-user system.
The threat research group claims that the manual attack technique although time-consuming has a higher success rate than automated tools as the email attachments are more likely to be opened by the receiver.
“Rather than attempt to create a realistic lure, the attackers here have instead capitalized on the brand and service of a real site: the recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” Proofpoint researchers noted in a blog post.
The researchers described the malware itself as using the Microsoft Word Intruder (MWI) service and exploiting memory corruption vulnerability for Word Rich Text Format files. MWI is an exploit kit that provides among other things, a dropper for different types of malware tools.
Jennifer Grasz, a spokeswoman for CareerBuilder said the company is investigating the scope of the attack with third-party experts and alerting affected customers.
She added that the website “has controls in place to stop mass distribution of applications to job postings and takes a variety of preventative measures.”
