Employment websites have long been a target for cyber criminals. These websites are targeted by malware for credentials theft and are used for mule recruitment and malware distribution. A recent Zeus malware configuration analyzed by IBM’s security team uses HTML injection to advertise a mule recruitment site when a victim visits CareerBuilder.com. It will likely affect thousands of job seekers.

Job Seekers as Mules

Money mules are a critical component for criminals looking to cash out money from a victim’s account. In the past, criminals used many employment websites to recruit mules, advertising a job opening at a company looking for “financial managers.” The ads included enticing descriptions of easy money from simple “work-at-home” jobs, luring job seekers to contact the supposed employer and unknowingly serve as the money-laundering component of a cyber crime gang.

Employment websites have recognized this threat to their job-seeking customers and are now offering easy ways for users to report suspicious ads. In addition, the affected websites created security teams that use a combination of manual and automatic search techniques to detect and remove suspicious ads.

Malware authors, on the other hand, recognize that job seekers who actively access employment websites have a high potential to be recruited successfully and serve as money mules. So how would criminals continue to reach out to job seekers without raising the suspicion of the employment websites?

Man-in-the-Browser Techniques

A recent Zeus malware configuration analyzed by IBM’s security team is using man-in-the-browser (MitB) techniques to present the user with an advertisement for a mule-recruitment site every time the victim accesses CareerBuilder.com. The mule recruitment website in this case is marketandtarget.com, as can be seen in the excerpt from the original Zeus configuration file below:

HTML injection code used to inject the marketandtarget.com link

The target website, marketandtarget.com, is currently down.

Current marketandtarget.com website

When operational, the website had a typical mule recruitment site layout that included poorly written banners.

The site also has a recruitment section that included, among other so-called opportunities, a “mystery shopper” job opening. (It is also worth noting that a website with a similar name, premiermarketsolutions.com, is a reported scam site.)

By using CareerBuilder as a platform, the Zeus operators maximize their outreach to potential mule targets. While HTML injection is typically used for adding data fields or to present bogus messages, in this case we witnessed a rare usage that attempts to divert the victim to a fake job offering. Because this redirection occurs when the victim is actively pursuing a job, in this case with CareerBuilder, the victim is more likely to believe the redirection is to a legitimate job opportunity.

Man-in-the-browser malware remains a significant threat to end users, whether it is used for data theft or for user redirection attempts. IBM Security Trusteer Rapport can identify, prevent and remove Zeus and other financial malware that employ this technique to minimize the risk of fraud attempts of different flavors.