Employers and human resources departments are being victimized by a creative new scheme that involves emailing fake resumes and medical leave paperwork
When the unemployment rate in the United States temporarily topped 20% in Spring of 2020, hackers devised yet another new scheme to exploit the impact of the coronavirus.
This malware campaign, which was spotted by cyber threat intelligence provider Check Point Research, sees attackers targeting businesses as they masquerade as job seekers and send out emails with file attachments that claim to be resumes for potential employees. Instead, the files contain malware capable of stealing user credentials and information. In a blog post, Check Point explained how this campaign works.
Emails are sent to employees at various businesses, containing subject lines such as “applying for a job” or “regarding job.” The body of the email reads like a standard cover letter with the phony applicant expressing an interest in working for the company. Included in the email is a Microsoft Excel file with a name indicating that this is the person’s resume or CV.
If the unsuspecting employee clicks on the Excel attachment, a macro in the file runs and downloads its payload, namely the Zloader malware. Labeled a banking trojan, Zloader evolved from Zeus malware, trying to steal banking passwords and other financial data. If a device gets infected with Zloader, the attackers could perform financial transactions using the compromised credentials.
These resume-themed campaigns have recently increased in the US, doubling during the spring of 2020. Of all malicious files observed by Check Point, 1 out of every 450 is part of a CV scam.
Medical leave scams
Another campaign uses phony medical leave forms to deploy a different banking Trojan. In this scheme, emails are sent to business employees with subject lines such as “The following is a new Employee Request Form for leave within the Family and Medical Leave Act (FMLA).” Sent from various sender domains, including “medical-center.space,” the emails contain Microsoft Word attachments with names like “COVID-19 FLMA CENTER.doc.”
Opening the file attachment triggers a macro that launches IcedID malware, another Trojan that attempts to steal financial data. This campaign uses site redirection to open clone websites and employs web injection to display fake content on top of the original pages.
A similar campaign uses the same Family and Medical Leave Act pitch but is sent from different domains, including “covid-agency.space.” This attack uses Trickbot, which is also a banking Trojan that’s continually being enhanced with new capabilities.
As countries and businesses are starting to open up post-COVID-19, cybercriminals are ramping up their activities, which has led to a 16% increase in attacks in May of 2020, compared with March and April.
How do Companies Protect Themselves?
- Instruct HR and hiring managers on the risks of CVs and malicious active content that could be embedded in file attachments.
- Leverage technologies that “flatten” resumes to non-macro enabled formats.
- Be aware of malicious attackers seeking to obtain financial information beyond the initial phishing attack.
- Watch out for well-known banking malware such as Zeus and its variants being reintroduced into the attack landscape.
- Apply security technologies that identify and prevent full coverage of these malware campaigns and Trojan/RAT droppers.