Phishing scams are now commonplace. Businesses of all sizes regularly educate their employees on the risk of opening unknown attachments, even if they seem legitimate. But what if these scams didn’t need a lure? What if the message and attachment were expected and from a trusted source? That’s the case with a new attack effort. CSO Online reported that a set of CareerBuilder phishing emails have emerged. Using the CareerBuilder website as a jumping-off point, malicious actors have found a way to convince even savvy IT users they should grab the line and jump in the malware-infested boat.

Phishing With Dynamite

These CareerBuilder phishing emails were unique. Instead of legitimate-looking emails from a questionable source, these emails are expected, trusted and seemingly innocuous. The attack centers around CareerBuilder’s resume upload feature, which lets prospective employees attach a document file containing their resume to specific job applications. These files are then forwarded to the owner of the job posting from CareerBuilder itself, which allows them to bypass most perimeter email defenses, since the site is often white-listed. Upon arrival, users have no hesitation in opening the email and its corresponding “resume.doc” or “CV.doc” attachment because they come from a trusted source.

Security firm Proofpoint found that the malicious files use a chain attack approach, starting with vulnerabilities such as CVE-2014-1761 or CVE-2012-0158 to place a binary on the target system, CSO Online reported. Proofpoint didn’t say if any of the attacks were successful but did note that they were small in number — fewer than 10 — and targeted positions related to engineering and finance. It’s likely that these first forays were simply test attacks to see if the process would work. On a large scale, think of it like phishing with dynamite: This kind of white-listed attack would grab all but the most elusive fish, and even savvy IT users could be easily fooled.

An Endless Supply

It’s a rare week that doesn’t feature a new phishing scam making headlines. Healthcare IT News recently reported that the protected health information and Social Security numbers of 39,000 people were accessed after users were targeted by a compromised email account. The problem at large is simple: Users are an unlimited resource, giving hackers ample opportunity to develop new and more legitimate-seeming attack vectors. The problem is big enough that Google has developed a warning system. According to The Verge, a new Chrome extension called “Password Alert” is designed to let users know if they’ve been hooked. It works like this: Chrome compares a hashed version of user passwords to anything they enter into a text field. If the browser detects that users have entered their password into a non-Google site, it warns them of the potential risk. This is an after-the-fact solution, but it may still give users time to reset their passwords before it’s too late.