June 12, 2013 By Etay Maor 3 min read

Employment websites have long been a target for cyber criminals. These websites are targeted by malware for credentials theft and are used for mule recruitment and malware distribution. A recent Zeus malware configuration analyzed by IBM’s security team uses HTML injection to advertise a mule recruitment site when a victim visits CareerBuilder.com. It will likely affect thousands of job seekers.

Job Seekers as Mules

Money mules are a critical component for criminals looking to cash out money from a victim’s account. In the past, criminals used many employment websites to recruit mules, advertising a job opening at a company looking for “financial managers.” The ads included enticing descriptions of easy money from simple “work-at-home” jobs, luring job seekers to contact the supposed employer and unknowingly serve as the money-laundering component of a cyber crime gang.

Employment websites have recognized this threat to their job-seeking customers and are now offering easy ways for users to report suspicious ads. In addition, the affected websites created security teams that use a combination of manual and automatic search techniques to detect and remove suspicious ads.

Malware authors, on the other hand, recognize that job seekers who actively access employment websites have a high potential to be recruited successfully and serve as money mules. So how would criminals continue to reach out to job seekers without raising the suspicion of the employment websites?

Man-in-the-Browser Techniques

A recent Zeus malware configuration analyzed by IBM’s security team is using man-in-the-browser (MitB) techniques to present the user with an advertisement for a mule-recruitment site every time the victim accesses CareerBuilder.com. The mule recruitment website in this case is marketandtarget.com, as can be seen in the excerpt from the original Zeus configuration file below:

HTML injection code used to inject the marketandtarget.com link

The target website, marketandtarget.com, is currently down.

Current marketandtarget.com website

When operational, the website had a typical mule recruitment site layout that included poorly written banners.

The site also has a recruitment section that included, among other so-called opportunities, a “mystery shopper” job opening. (It is also worth noting that a website with a similar name, premiermarketsolutions.com, is a reported scam site.)

By using CareerBuilder as a platform, the Zeus operators maximize their outreach to potential mule targets. While HTML injection is typically used for adding data fields or to present bogus messages, in this case we witnessed a rare usage that attempts to divert the victim to a fake job offering. Because this redirection occurs when the victim is actively pursuing a job, in this case with CareerBuilder, the victim is more likely to believe the redirection is to a legitimate job opportunity.

Man-in-the-browser malware remains a significant threat to end users, whether it is used for data theft or for user redirection attempts. IBM Security Trusteer Rapport can identify, prevent and remove Zeus and other financial malware that employ this technique to minimize the risk of fraud attempts of different flavors.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today