Slashdot Mirror

← Back to Stories (view on slashdot.org)

CareerBuilder Cyberattack Delivers Malware Straight To Employers

Posted by timothy on from the where-it-hurts dept.

An anonymous reader writes: Security threat researchers Proofpoint have uncovered an email-based phishing attack which infected businesses with malware via the CareerBuilder online job search website. The attack involved the hacker browsing job adverts across the platform and uploading malicious files during the application process, titling the documents "resume.doc" and "cv.doc." Once the CV was submitted, an automatic email notification was sent to the business advertising the position, along with the uploaded document. In this case, Proofpoint found that as a business opens the automatic email from CareerBuilder to view the attached file the document plays on a known Word vulnerability to sneak a malicious code onto the victim's computer. According to the threat research group, the manual attack technique although time-consuming has a higher success rate than automated tools as the email attachments are more likely to be opened by the receiver.

48 comments

  1. Serves them right! by Grishnakh · · Score: 5, Interesting

    That's what these morons get for demanding resumes in .DOC format instead of PDF. I don't need someone else editing my resume, especially an employer I'm submitting it to. So why do they want it in an editable format rather than a format which is specifically designed to be read-only and to appear exactly the same no matter what device you view or print it on?

    1. Re:Serves them right! by drinkypoo · · Score: 5, Insightful

      That's what these morons get for demanding resumes in .DOC format instead of PDF.

      Ah yes, the ultra-secure PDF, which has never been a vector for malware.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Serves them right! by Anonymous Coward · · Score: 0

      Both should be scanned by the job site. Neither is encrypted, and both are being re-served to clients, so a scan should have been done.

    3. Re:Serves them right! by drinkypoo · · Score: 2

      Both should be scanned by the job site. Neither is encrypted, and both are being re-served to clients, so a scan should have been done.

      If they were half as smart as they think they are, they'd demand plain text. It doesn't hide malware unless you save it to a file and double-click it. Who gives a shit about what font a resume is in? They can buy the layout.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Serves them right! by __aaltlg1547 · · Score: 1

      I agree. But to be safe, demand plaintext unless you're looking for a photographer or a graphic designer.

    5. Re:Serves them right! by MichaelSmith · · Score: 0

      Or define a common XML schema and don't include a tag to execute arbitrary code.

      --
      http://michaelsmith.id.au
    6. Re:Serves them right! by Anonymous Coward · · Score: 0

      Why do they demand a DOC/PDF when they make you retype all the bullshit into Taleo anyway.

    7. Re:Serves them right! by holostarr · · Score: 1

      Yea, it's not like a malware writer couldn't come up with a specially crafted XML string which takes advantage of a vulnerability in the XML parser of whatever the most popular reader/writer may be. Face it, software will have bugs regardless of who writes it or whether it's open source or not.

    8. Re:Serves them right! by MichaelSmith · · Score: 1

      Well we're all fucked then.

      --
      http://michaelsmith.id.au
    9. Re:Serves them right! by Anonymous Coward · · Score: 0

      It is also what you get when you have 100% unit test coverage and no QA. I had a chance to run into the Career Builder software developers in a ScrumMaster training...

    10. Re:Serves them right! by antdude · · Score: 1

      So, we go back to plain ASCII text format. Unless that has it too. :/

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    11. Re: Serves them right! by Billly+Gates · · Score: 1

      Son

      You don't actually think they read the resumes do you? That is waaay too much to ask HR. According to that slick salesman from Taleo HR is liberated and can focus on more important things like uh firing people and getting coffee.

      You see you need the file in an ancient .doc format which will use an algorithm to check employment dates and delete. After that it looks for grammatical errors which is flawed and will delete perfectly good candidates due to Taleos own bugs! Last use a score like excite and Google uses.

      The top 4 scores get interviews.

      If the software doesn't work then cry about raising H1Be crises!!

        It must be that as Taleo is perfect I tell you?!

      Oh it won't with a txt file. The software without formatting will parse wrong section.

      I rallied around many unemployed and refused to apply with anyone who uses Taleo. It is insulting to spend hours applying just so the software can reject me. A 15 minute process always gets stretched to over an hour. However, everyone uses it now so my resume is SEO to get the highest score so I can get the job over more qualified applicants

      --
      http://saveie6.com/
    12. Re:Serves them right! by Mr.+Freeman · · Score: 1

      If you prefer to use PDFs for *security* reasons then you're an idiot. PDFs have been the attack vector for a crapload of malware.

      --
      -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
    13. Re:Serves them right! by Anonymous Coward · · Score: 0

      If you prefer to use PDFs for *security* reasons then you're an idiot. PDFs have been the attack vector for a crapload of malware.

      Cool. Now show me an exploit that attacks Adobe Reader, poppler based apps and the js based reader built into my browser.

      This is actually the same problem of software monoculture described in TFA. Had 50% of businesses used Apple Pages, openoffice or abiword instead of unpatched Microsoft software then the success rate of the attack would be negligible.

    14. Re:Serves them right! by Anonymous Coward · · Score: 0

      So, we go back to plain ASCII text format. Unless that has it too. :/

      What do you have against EBCDIC?!?! I call discrimination!!!

    15. Re:Serves them right! by Grishnakh · · Score: 1

      If you don't understand the concept of software monoculture, then you're an idiot.

      Here's a clue, moron: Adobe Reader isn't the only way to view PDFs.

    16. Re:Serves them right! by RockDoctor · · Score: 1

      Hmmm, "exactly" the same? Well, if the person producing the PDF remembered to include the appropriate parts of the fonts. (I was trying to make head or tails of a PDF from a geology journal last night. All the diagrams completely labelled with uninformative square "don't have a glyph" glyphs.)

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
    17. Re:Serves them right! by RockDoctor · · Score: 1

      Adobe Reader can view PDFs instead of just freezing the computer solid and then crashing? Well, whodathunkit?

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  2. Re:I love blowing my load inside of a vagina. by Anonymous Coward · · Score: 0

    You should blow your load into slashdot comment content instead, to show off what you can accomplish.

  3. scripting in a document is bad by Gravis+Zero · · Score: 2

    it was a novel idea and i'm sure it solves some problems but having scripting in a document format is simply has too high a price to pay. scripting does not belong in documents!

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:scripting in a document is bad by BradleyUffner · · Score: 1, Troll

      it was a novel idea and i'm sure it solves some problems but having scripting in a document format is simply has too high a price to pay. scripting does not belong in documents!

      I'll let all the guys doing web pages know. I guess we'll have to figure something else out.

    2. Re:scripting in a document is bad by gstoddart · · Score: 4, Funny

      Honestly, though, giving web designers access to scripting on the client side has produced a LOT of shit code and security holes.

      So, if you're in the business of letting all the guys know, can you tell them to stop being so incompetent at security?

      Because the average web developer seems to be pretty stupid and useless when it comes to writing code which doesn't want to become a gaping security hole.

      kthanksby.

      --
      Lost at C:>. Found at C.
    3. Re:scripting in a document is bad by Anonymous Coward · · Score: 2, Informative

      I'll let all the guys doing web pages know. I guess we'll have to figure something else out.

      We wish you would. You've made the web neigh well unusable without noscript. I have to block javascript by default and just whitelist a few things to even tolerate the web a little bit.

      So yes, PLEASE, let them know. I'm tired of having to set up noscript for all my friends and then whitelist their banks and shit so that stuff still works.

    4. Re:scripting in a document is bad by Anonymous Coward · · Score: 1

      Javascript doesn't belong on the internet, neither does advertising or html5 or flash or any of that other fluff. The web should be only plain text and maybe a few images, I might even allow animated gifs. By the way, who's the asshat that put a pdf viewer in my web browser? Bunch of god damn fruit loops.

    5. Re:scripting in a document is bad by Anonymous Coward · · Score: 0

      And yet, that's what websites are.

    6. Re: scripting in a document is bad by Billly+Gates · · Score: 1

      Really?

      There are sites that function without js in 2015?? Please, I do not use no script as it requires a crappy browser and UAC controls the hell out of me to allow. The ads are far less annoying.

      Seems adblockers are the more realistic option

      --
      http://saveie6.com/
    7. Re:scripting in a document is bad by Tablizer · · Score: 1

      scripting does not belong in documents!

      Microsoft should invent Inactive-X

      --
      Table-ized A.I.
    8. Re:scripting in a document is bad by holostarr · · Score: 1

      Then stick to Lynx, the rest of us will continue to enjoy our dynamic web pages where the whole page doesn't need to load just to see if you have a new email, or reply to a comment, or the sub total of your pizza based on how many toppings you added...

    9. Re:scripting in a document is bad by Anonymous Coward · · Score: 0

      it was a novel idea and i'm sure it solves some problems but having scripting in a document format is simply has too high a price to pay. scripting does not belong in documents!

      The attack doesn't use scripting. It use a Rich Text Format memory corruption vulnerability.

    10. Re:scripting in a document is bad by Anonymous Coward · · Score: 0

      You check your email on a Web site?

  4. Liability by Ryanrule · · Score: 1

    again, as I have said before, make sites fully liable for their content. Including ads. They can self host, or fuck off.

  5. Re:I love blowing my load inside of a vagina. by Anonymous Coward · · Score: 0

    He can't, Slashdot doesn't allow whitespace-only comments.

  6. So not only is CB Spamming Morons by Khyber · · Score: 1

    CB also appears to be very insecure spamming morons.

    Good Job, CareerBuilder. Do you ever wonder why I tell people to avoid you like the plague?

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  7. SANITIZE YOUR INPUTS! by Anonymous Coward · · Score: 0

    When has trusting the internet EVER worked.

  8. Obvious question--can we ask it? by Jiro · · Score: 1

    Is Dice vulnerable to this attack as well?

    1. Re:Obvious question--can we ask it? by Anonymous Coward · · Score: 0

      the 'exploit' takes advantage of exploitable filetypes not necessarily the site, so i suppose any job site that accepts those types of files can be vulnerable (with bonus points for the site being bot-able by the hackers as well), depending upon the moron-factor of the employers using them.

  9. Re:I love blowing my load inside of a vagina. by Anonymous Coward · · Score: 0

    I believe I've seen them before, but I don't know how its done

  10. Hard to sympathize by Ancil · · Score: 1

    Microsoft fixed the underlying vulnerability over a year ago.. Less than a month after it was first reported.

    Do people really run computers with security patches turned off?
    Computers connected to the internet?
    Computers which are primarily used to open files emailed by random strangers?

    1. Re:Hard to sympathize by Anonymous Coward · · Score: 0

      Yes, they do.

      Some organizations would rather have their boxes be pwned left and right than to have to go through the byzantine change management control processes they have in place just to apply a 1+ year old security patch. This is the type of "security" you pay for when you choose to have an IT department staffed by a low-bid outsourcing firm and/or H1-Bs.

    2. Re:Hard to sympathize by Anonymous Coward · · Score: 0

      Do people really run computers with security patches turned off?
      Computers connected to the internet?
      Computers which are primarily used to open files emailed by random strangers?

      Do ursines defecate in the forest?

  11. Erm by cascadingstylesheet · · Score: 3, Insightful

    It's a Word doc. This has always been a "vulnerability". You are soliciting Word docs, for heaven's sake.

    "Please send me files, which like all files, might be infected" is not a "cyber-attack".

    1. Re:Erm by cascadingstylesheet · · Score: 0

      Le sigh. "Flamebait".

      My point is that you are soliciting files. "Send me files", you say.

      They just now figured out that files might be infected?

  12. Re:I love blowing my load inside of a vagina. by JustOK · · Score: 1

    white priviledge

    --
    rewriting history since 2109
  13. Recursion Expert by Tablizer · · Score: 3, Funny

    WANTED: Security expert to help patch the problems caused by our search for security experts.

    --
    Table-ized A.I.
  14. Re: There are sites that function without js by Anonymous Coward · · Score: 1

    There are sites that function without js in 2015??

    Yep. Like the one you where reading and posted your comment on. Like Google. Like most other websites.

    Only a few refuse* to work without JS. And for most of them you are the product, not the customer.

    *Yes, refuse. They certainly can work without it, but choose not to. And often most of their JS has got little to do with their sites content, and much do to with "content enhancing offers" (read: advertisement spam) and user-tracking (and other stuff thats definitily not there to benefit you).

    Of the remaining JS the most is dedicated to making the site look "hip" or "flashy", without adding anything to (the understanding of) the actual content.

    And to link back to this threads origin, personally I regard running JS thats included in random webpages as similary stupid as opening random .DOC files (or other "text"-documents containing scripting).

    tl;dr: The "must have JS running" sites are often as moronic as the Flash-only sites of yesteryear

  15. I send .rtf or .txt ... apk by Anonymous Coward · · Score: 0

    I used to PREFER the former (see subject), but it too showed some vulnerabilities (better than OLE compound document .DOC word files though by far, via macros etc.).

    * IF only these headhunters realized holding down the SHIFT key stops macro action in MS Office apps... you know?

    (I tell them in response emails that I am sending formats they CAN read in Word, or really, ANY word processor, when I send them my resume via attachments... most of them, thank goodness, understand this - however, does their 'automated systems' geared specifically to .DOC though I wonder? Some DO use those, for keyword searches on THEIR end when they go "cold calling" seeking candidates...)

    APK

    P.S.=> I don't really jobhunt anymore (retired pretty much as of 2009 & run my own business since 2008 here), but I send them .txt mostly IF I see a job that does interest me (not above working one that I find interesting even now though, but has to pay right too, of course) - @ least that format is still safe! apk