Researchers at Proofpoint recently discovered a Phishing campaign that originated form select job postings on CareerBuilder.
Taking advantage of the notification system the job portal uses, the attacker uploaded malicious attachments instead of résumés, which in turn forced CareerBuilder to act as a delivery vehicle for Phishing emails.
The scam is both simple and complex. It's simple because the attacker used a known job site to target a pool of willing email recipients, and complex because the malware that was delivered is deployed in stages.
The attack starts by submitting a malicious Word document (named resume.doc or cv.doc) to a job posting. On CareerBuilder when someone submits a document to a job listing, a notification email is generated for the person(s) who posted the job and the attachment is included.
In this setting, the malicious attachment was sent from CareerBuilder and not the attacker - granting the message easy access to the targeted organization, bypassing many common defenses as the domain is often whitelisted.
Such a Phishing attack removes the need for a lure, as the recipients are expecting emails and attachments to come from CareerBuilder, and often those response notifications are delivered to multiple people within the organization.
So all the attacker needs to do is generate a fake CareerBuilder profile and target postings at will with their malicious attachments.
According to the latest totals in the Verizon Data Breach Investigations Report, 23 percent of Phishing recipients will open a given message and 11 percent will click on the links within them. Nearly half of those who received a Phishing email clicked on a malicious link within the first hour, and it's a safe bet that the totals would have been the same for those opening attachments.
Now, consider the fact that the email and attachment were completely expected and automatically assumed safe due to where they came from, and the CareerBuilder campaign is a good example of a well-crafted, socially-based attack from someone who knew what they were doing.
But this campaign also had a technical level that isn't often seen with generic Phishing attacks.
The volume was low, as less than ten emails were sent from CareerBuilder. The malicious attachments were sent to broadcast companies, energy companies, credit unions, stores, and electrical suppliers. The attacker appeared to be targeting positions in engineering and finance.
The malicious Word files that were sent are also another point of technicality.
They exploited a known vulnerability (e.g. CVE-2014-1761 or CVE-2012-0158) and used a chained approach to deliver the payload. In this case, once the document is opened, the exploited vulnerability will place a binary on the system that downloads and unzips an image file, which in turn installs the Sheldor rootkit. The process is streamlined as 7Zip is included with the dropper, so everything happened at once. Proofpoint did not say if any of the targets were successfully infected.
Proofpoint alerted CareerBuilder about the problem, and while they didn't mention it – the low volume suggests that this campaign was a trial run. The problem is, now the attacker knows the delivery process works and CareerBuilder isn't the only job portal on the Web. If there were infections, then that's further encouragement.
"This inventive combination of effective delivery with a very stealthy infection routine enables attackers to evade automated defenses and fool skeptical end-users. Instead of a new employee, the victim organizations welcome a dangerous piece of malware," Proofpoint said in an advisory.
"Moreover, it is important to note that job search services are themselves also victims in this attack because they are being exploited to deliver malicious attachments that bypass organizations’ existing defenses and even user training."
Further details are available here.