Hiring? New scam campaign means ‘resume’ downloads may contain malware

/in


A cybercrime gang is targeting hiring managers and recruiters in a new campaign to spread the “more_eggs” backdoor malware.

Emails from supposed job seekers are luring victims to malicious “resume” downloads using sophisticated social engineering and infrastructure, Proofpoint said in a security briefing Tuesday.

The briefing outlines the evolving tactics of the threat actor tracked as TA4557, which Proofpoint researchers have been monitoring since 2018.

Spear phishing strategy convinces recruiters to stray from safety

Secure email gateways are one of the most common endpoint security measures used by organizations; new methods by TA4557 seek to bypass these measures and lure job recruiters to attacker-controlled websites.

“The social engineering is very compelling leading up to the download of the file from the resume website,” Proofpoint Senior Threat Analyst Selena Larson told SC Media.

The attacks, which Proofpoint first detected in October 2023, begin with an email inquiring about an open position. With no links or attachments, the seemingly benign email gets the foot in the door to start building trust.

If the victim responds, the attack chain continues with the supposed job candidate inviting the hiring manager or recruiter to download a resume from their “personal website.”

Unlike classic jobs scams targeting job seekers themselves, there is no need to impersonate an established business through methods like typosquatting. Additionally, researchers began seeing in early November that attackers avoided sending links altogether by directing their victims to “refer to the domain name of my email address to access my portfolio.”

Requiring the victim to copy and paste the malicious domain name increases the likelihood the emails will make it past secure email gateways. Plus, with unassuming domain names like “wlynch[.]com” for a candidate named William Lynch and “annetterawlings[.]com” for a candidate named Annette Rawlings, the emails are less likely to raise alarm bells than those from free email providers like Gmail or Yahoo.

The attacker-controlled “candidate” websites were found to apply filters based on details like the victim’s IP address to…

Source…