Once again, another popular website is facing the consequences of a phishing attack, although this time it is a little different. Normally when you think of a phishing attack you come to the conclusion that some clueless individual clicked a link in an email and corrupted the system, or gave away important information to a phony account and cost their business millions of dollars. The blame isn’t as easily directed on certain individuals this time around.
For anyone who doesn’t know what careerbuilder.com is or has never heard of it, it is a popular job searching service website. Tons of companies post job advertisements on this website such as open positions, then users can browse these job postings by area or category and apply. Generally you are able to just apply right from the website and upload your resume and attach it as a word document. Whenever a job seeker uploads their resume to a job posting, careerbuilder then notifies the company of the uploaded document. The people behind these attacks just simply title the document things such as “resume.doc” or “cv.doc” and employers open them as if it was just another typical resume. The employees download these attachments which on the surface appear to be just another applicant, but the files then go on to exploit a memory corruption vulnerability in Word RTF. This causes the infected machine to download a payload, which downloads a .zip file containing an image file which then drops a rootkit, Sheldor, on the machine. An image file is used because anti-virus programs tend to look past image files as they are expected to be nothing more than that. This is a dangerous peace of malware working its way into the organizations seeking new employees. Although the methods behind these attacks require a lot more work from the attackers due to having to find job posting and actually apply to them manually with their documents, the benefit is that it is very likely the majority of their attempts will indeed be successful. Typically, these kind of phishing attacks are just attempted with fake email accounts trying to fool people and is much less likely to work.
Researchers from a firm known as Proofpoint uncovered the information behind these malware attacks stating that the malicious documents were created in a program called Microsoft Word Intruder (MWI), a FireEye tool that was created in April of this year. This tool is sold on underground forums and serves up CVE-weaponized docs and costs around $2000-$3500 to purchase. Proofpoint also claims that careerbuilder took swift action against these attacks, but didn’t state exactly how. The bigger issue here is the fact that these attacks are always going to be a risk on job search websites and other alike websites with file attachments for attackers to parse out malware.