Wednesday, May 13, 2015

Are Your Corporate Job Postings Making
you More Vulnerable to Cyber Attacks?

Posted by - Paula Wheeldon, Marketing Team

A recent article posted in Dark Reading, CareerBuilder Attack Sends Malware-Rigged Resumes to Businesses, outlines a new exploit that that has been characterized by some researchers as “simple elegance and brilliance.” While these may not be words typically used to describe malicious cyber exploits, it’s clear those quoted have a wary respect for the deftness of this attack.

First reported by Proofpoint in their blog, it uses phishing and social engineering, with the perpetrators responding to job postings on the CareerBuilder site, primarily for engineering and finance. The hackers respond to the designated ad with an infected MS Word doc entitled resume.doc, or cv.doc, which includes a malicious payload that’s designed to exploit a Word vulnerability, allowing them to put a binary on the user’s computer, which in turn generates a C&C callback. The real trouble starts when the callback downloads and unzips an image, opening a backdoor called Sheldor on the victim’s machine.

The Dark Reading author points out that this attack is particularly menacing for a number or reasons. First, it exploits a legitimate career service – what company is going to be suspicious of resumes sent by CareerBuilder? Second, it’s the type of attachment that is likely to be shared within the organization. One can imagine how it could happen; HR collects resumes and CVs, sends them to the appropriate hiring manager, who then sends them to other stakeholders, who share them with colleagues and so it goes. Another interesting aspect of this attack is that the information contained in job postings may be exactly what the criminal needs to create an email that will not only seem legitimate, but also can persuade the recipient to open the attachment. We must consider that stealthy and cunning attacks like the CareerBuilder exploit will continue to plague us, with extraordinary data loss, as long as we insist on putting all our security investment into preventive tools.

Some are now arguing that a new approach is needed -- one that can help compensate for the unavoidable vulnerabilities in preventive measures. For instance, deploying a solution that continuously monitors for anomalies in outbound traffic, with full visibility across all data channels, could serve to alert IT of a problem, even before an active infection is detected. A solution that can monitor for and analyzes anomalies, and includes auto-containment of malicious data transfers, would have the power to mitigate the consequences should a data breach occur, by stopping data exfiltration.

Certainly, we don’t advocate discarding preventive technology such as sandboxing and IPS. They will continue to be an important part of good security strategy. What we are saying is that it’s time to challenge conventional thinking with a new approach, one that focuses equally on stopping malware and disrupting malware’s mission to steal your data.

Read the Dark Reading article
Learn more about iboss FireSphere