CareerBuilder cyberattack delivers malware straight to employers
Fri 1 May 2015

Security threat researchers Proofpoint have uncovered an email-based phishing attack which infected businesses with malware via the CareerBuilder online job search website.
The attack involved the hacker browsing job adverts across the platform and uploading malicious files during the application process, titling the documents “resume.doc” and “cv.doc.” Once the CV was submitted, an automatic email notification was sent to the business advertising the position, along with the uploaded document.
In this case, Proofpoint found that as a business opens the automatic email from CareerBuilder to view the attached file the document plays on a known Word vulnerability to sneak a malicious code onto the victim’s computer. The code then communicates with a command and control server, which then downloads and unzips an image file, ushering a backdoor named Sheldor onto the end-user system.
According to the threat research group, the manual attack technique although time-consuming has a higher success rate than automated tools as the email attachments are more likely to be opened by the receiver.
“Not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient,” said Proofpoint. The researchers added that there is also a greater likelihood that the email and attachment will be circulated around a business, to HR managers, interviewers, and other staff members – “Taking advantage of this dynamic enables the attackers to move laterally through their target organization.”
Proofpoint detected an indiscriminate approach to the malware campaign, with large retail groups, energy organisations and broadcast companies all targeted in the attacks. It was found however that job roles in the engineering and finance sectors were favoured targets, with titles such as “business analyst,” “web developer” and other positions which revealed significant information on the companies IT infrastructure being prime vectors.
Proofpoint said that the malware was deploying the exploit kit Microsoft Word Intruder (MWI) and used a memory corruption vulnerability for Word Rich Text Format files.