Employment websites have long been a target for cyber criminals. These websites are targeted by malware for credentials theft and are used for mule recruitment and malware distribution. A recent Zeus malware configuration analyzed by IBM’s security team uses HTML injection to advertise a mule recruitment site when a victim visits CareerBuilder.com. It will likely affect thousands of job seekers.

Job Seekers as Mules

Money mules are a critical component for criminals looking to cash out money from a victim’s account. In the past, criminals used many employment websites to recruit mules, advertising a job opening at a company looking for “financial managers.” The ads included enticing descriptions of easy money from simple “work-at-home” jobs, luring job seekers to contact the supposed employer and unknowingly serve as the money-laundering component of a cyber crime gang.

Employment websites have recognized this threat to their job-seeking customers and are now offering easy ways for users to report suspicious ads. In addition, the affected websites created security teams that use a combination of manual and automatic search techniques to detect and remove suspicious ads.

Malware authors, on the other hand, recognize that job seekers who actively access employment websites have a high potential to be recruited successfully and serve as money mules. So how would criminals continue to reach out to job seekers without raising the suspicion of the employment websites?

Man-in-the-Browser Techniques

A recent Zeus malware configuration analyzed by IBM’s security team is using man-in-the-browser (MitB) techniques to present the user with an advertisement for a mule-recruitment site every time the victim accesses CareerBuilder.com. The mule recruitment website in this case is marketandtarget.com, as can be seen in the excerpt from the original Zeus configuration file below:

HTML injection code used to inject the marketandtarget.com link

The target website, marketandtarget.com, is currently down.

Current marketandtarget.com website

When operational, the website had a typical mule recruitment site layout that included poorly written banners.

The site also has a recruitment section that included, among other so-called opportunities, a “mystery shopper” job opening. (It is also worth noting that a website with a similar name, premiermarketsolutions.com, is a reported scam site.)

By using CareerBuilder as a platform, the Zeus operators maximize their outreach to potential mule targets. While HTML injection is typically used for adding data fields or to present bogus messages, in this case we witnessed a rare usage that attempts to divert the victim to a fake job offering. Because this redirection occurs when the victim is actively pursuing a job, in this case with CareerBuilder, the victim is more likely to believe the redirection is to a legitimate job opportunity.

Man-in-the-browser malware remains a significant threat to end users, whether it is used for data theft or for user redirection attempts. IBM Security Trusteer Rapport can identify, prevent and remove Zeus and other financial malware that employ this technique to minimize the risk of fraud attempts of different flavors.

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…