May 4, 2015 By Douglas Bonderud 2 min read

Phishing scams are now commonplace. Businesses of all sizes regularly educate their employees on the risk of opening unknown attachments, even if they seem legitimate. But what if these scams didn’t need a lure? What if the message and attachment were expected and from a trusted source? That’s the case with a new attack effort. CSO Online reported that a set of CareerBuilder phishing emails have emerged. Using the CareerBuilder website as a jumping-off point, malicious actors have found a way to convince even savvy IT users they should grab the line and jump in the malware-infested boat.

Phishing With Dynamite

These CareerBuilder phishing emails were unique. Instead of legitimate-looking emails from a questionable source, these emails are expected, trusted and seemingly innocuous. The attack centers around CareerBuilder’s resume upload feature, which lets prospective employees attach a document file containing their resume to specific job applications. These files are then forwarded to the owner of the job posting from CareerBuilder itself, which allows them to bypass most perimeter email defenses, since the site is often white-listed. Upon arrival, users have no hesitation in opening the email and its corresponding “resume.doc” or “CV.doc” attachment because they come from a trusted source.

Security firm Proofpoint found that the malicious files use a chain attack approach, starting with vulnerabilities such as CVE-2014-1761 or CVE-2012-0158 to place a binary on the target system, CSO Online reported. Proofpoint didn’t say if any of the attacks were successful but did note that they were small in number — fewer than 10 — and targeted positions related to engineering and finance. It’s likely that these first forays were simply test attacks to see if the process would work. On a large scale, think of it like phishing with dynamite: This kind of white-listed attack would grab all but the most elusive fish, and even savvy IT users could be easily fooled.

An Endless Supply

It’s a rare week that doesn’t feature a new phishing scam making headlines. Healthcare IT News recently reported that the protected health information and Social Security numbers of 39,000 people were accessed after users were targeted by a compromised email account. The problem at large is simple: Users are an unlimited resource, giving hackers ample opportunity to develop new and more legitimate-seeming attack vectors. The problem is big enough that Google has developed a warning system. According to The Verge, a new Chrome extension called “Password Alert” is designed to let users know if they’ve been hooked. It works like this: Chrome compares a hashed version of user passwords to anything they enter into a text field. If the browser detects that users have entered their password into a non-Google site, it warns them of the potential risk. This is an after-the-fact solution, but it may still give users time to reset their passwords before it’s too late.

More from

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today