By submitting fake resumes (actually malicious files) in response to CareerBuilder job postings, the attackers leveraged the employment site's own features to deliver malware to victims.
"When a resume has been submitted to a listed job opening, the CareerBuilder service automatically generates a notification email to the job poster and attaches the document, which in this case is designed to deliver malware," the researchers explained.
"Rather than attempt to create a realistic lure, the attackers here have instead capitalized on the brand and service of a real site: the recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient," the researchers added.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
What's more, the researchers noted, once a resume is received by a job poster, it's often forwarded to several others within the organization. "Taking advantage of this dynamic enables the attackers to move laterally through their target organization," they wrote.
The malware used in the attack, which exploits a memory corruption vulnerability in Microsoft Word, was built using the Microsoft Word Intruder Service (MWI), a crime service that builds malware for a fee ranging from approximately $2,000 to $3,000.
CareerBuilder addressed the issue promptly after being notified by Proofpoint -- but as the researchers noted, "All job search websites may certainly be susceptible ... to the same issue of being used as a proxy for delivering malicious attachments."
"Owners of career websites that accept resumes in any format, whether PDF or Microsoft Word, should always assume the content may be malicious and perform scanning prior to forwarding them to any customer," they added.
Tripwire senior security analyst Ken Westin told eSecurity Planet by email that phishing remains a top attack vector, primarily because it's still so effective.
"Attackers find creative ways to exploit our trust in brands we are familiar with either through making emails or websites appear to be associated with the brand, or finding ways to leverage the brand’s own systems to deliver malware," Westin said. "This approach is tried and true as it provides attackers with a way into networks, even those that have strong perimeter defenses."
A recent eSecurity Planet article offered tips on how to avoid phishing scams.