CareerBuilder Cyberattack Delivers Malware Straight To Employers

← Back to Stories (view on slashdot.org)

CareerBuilder Cyberattack Delivers Malware Straight To Employers

Posted by timothy on Saturday May 2, 2015 @10:30AM from the where-it-hurts dept.

An anonymous reader writes: Security threat researchers Proofpoint have uncovered an email-based phishing attack which infected businesses with malware via the CareerBuilder online job search website. The attack involved the hacker browsing job adverts across the platform and uploading malicious files during the application process, titling the documents "resume.doc" and "cv.doc." Once the CV was submitted, an automatic email notification was sent to the business advertising the position, along with the uploaded document. In this case, Proofpoint found that as a business opens the automatic email from CareerBuilder to view the attached file the document plays on a known Word vulnerability to sneak a malicious code onto the victim's computer. According to the threat research group, the manual attack technique although time-consuming has a higher success rate than automated tools as the email attachments are more likely to be opened by the receiver.

28 of 48 comments (clear)

Min score:

Reason:

Sort:

Serves them right! by Grishnakh · 2015-05-02 10:34 · Score: 5, Interesting

That's what these morons get for demanding resumes in .DOC format instead of PDF. I don't need someone else editing my resume, especially an employer I'm submitting it to. So why do they want it in an editable format rather than a format which is specifically designed to be read-only and to appear exactly the same no matter what device you view or print it on?
1. Re:Serves them right! by drinkypoo · 2015-05-02 10:37 · Score: 5, Insightful
  
  That's what these morons get for demanding resumes in .DOC format instead of PDF.
  Ah yes, the ultra-secure PDF, which has never been a vector for malware.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:Serves them right! by drinkypoo · 2015-05-02 10:45 · Score: 2
  
  Both should be scanned by the job site. Neither is encrypted, and both are being re-served to clients, so a scan should have been done.
  If they were half as smart as they think they are, they'd demand plain text. It doesn't hide malware unless you save it to a file and double-click it. Who gives a shit about what font a resume is in? They can buy the layout.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Serves them right! by __aaltlg1547 · 2015-05-02 10:45 · Score: 1
  
  I agree. But to be safe, demand plaintext unless you're looking for a photographer or a graphic designer.
4. Re:Serves them right! by holostarr · 2015-05-02 14:27 · Score: 1
  
  Yea, it's not like a malware writer couldn't come up with a specially crafted XML string which takes advantage of a vulnerability in the XML parser of whatever the most popular reader/writer may be. Face it, software will have bugs regardless of who writes it or whether it's open source or not.
5. Re:Serves them right! by MichaelSmith · 2015-05-02 14:36 · Score: 1
  
  Well we're all fucked then.
  
  --
  http://michaelsmith.id.au
6. Re:Serves them right! by antdude · 2015-05-02 16:38 · Score: 1
  
  So, we go back to plain ASCII text format. Unless that has it too. :/
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
7. Re: Serves them right! by Billly+Gates · 2015-05-02 16:40 · Score: 1
  
  Son
  You don't actually think they read the resumes do you? That is waaay too much to ask HR. According to that slick salesman from Taleo HR is liberated and can focus on more important things like uh firing people and getting coffee.
  You see you need the file in an ancient .doc format which will use an algorithm to check employment dates and delete. After that it looks for grammatical errors which is flawed and will delete perfectly good candidates due to Taleos own bugs! Last use a score like excite and Google uses.
  The top 4 scores get interviews.
  If the software doesn't work then cry about raising H1Be crises!!
  It must be that as Taleo is perfect I tell you?!
  Oh it won't with a txt file. The software without formatting will parse wrong section.
  I rallied around many unemployed and refused to apply with anyone who uses Taleo. It is insulting to spend hours applying just so the software can reject me. A 15 minute process always gets stretched to over an hour. However, everyone uses it now so my resume is SEO to get the highest score so I can get the job over more qualified applicants
  
  --
  http://saveie6.com/
8. Re:Serves them right! by Mr.+Freeman · 2015-05-02 19:21 · Score: 1
  
  If you prefer to use PDFs for *security* reasons then you're an idiot. PDFs have been the attack vector for a crapload of malware.
  
  --
  -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
9. Re:Serves them right! by Grishnakh · 2015-05-03 02:29 · Score: 1
  
  If you don't understand the concept of software monoculture, then you're an idiot.
  Here's a clue, moron: Adobe Reader isn't the only way to view PDFs.
10. Re:Serves them right! by RockDoctor · 2015-05-04 01:13 · Score: 1
  
  Hmmm, "exactly" the same? Well, if the person producing the PDF remembered to include the appropriate parts of the fonts. (I was trying to make head or tails of a PDF from a geology journal last night. All the diagrams completely labelled with uninformative square "don't have a glyph" glyphs.)
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
11. Re:Serves them right! by RockDoctor · 2015-05-04 01:22 · Score: 1
  
  Adobe Reader can view PDFs instead of just freezing the computer solid and then crashing? Well, whodathunkit?
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
scripting in a document is bad by Gravis+Zero · 2015-05-02 11:13 · Score: 2

it was a novel idea and i'm sure it solves some problems but having scripting in a document format is simply has too high a price to pay. scripting does not belong in documents!

--
Anons need not reply. Questions end with a question mark.
1. Re:scripting in a document is bad by BradleyUffner · 2015-05-02 12:13 · Score: 1, Troll
  
  it was a novel idea and i'm sure it solves some problems but having scripting in a document format is simply has too high a price to pay. scripting does not belong in documents!
  I'll let all the guys doing web pages know. I guess we'll have to figure something else out.
2. Re:scripting in a document is bad by gstoddart · 2015-05-02 12:26 · Score: 4, Funny
  
  Honestly, though, giving web designers access to scripting on the client side has produced a LOT of shit code and security holes.
  So, if you're in the business of letting all the guys know, can you tell them to stop being so incompetent at security?
  Because the average web developer seems to be pretty stupid and useless when it comes to writing code which doesn't want to become a gaping security hole.
  kthanksby.
  
  --
  Lost at C:>. Found at C.
3. Re:scripting in a document is bad by Anonymous Coward · 2015-05-02 13:03 · Score: 2, Informative
  
  I'll let all the guys doing web pages know. I guess we'll have to figure something else out.
  We wish you would. You've made the web neigh well unusable without noscript. I have to block javascript by default and just whitelist a few things to even tolerate the web a little bit.
  So yes, PLEASE, let them know. I'm tired of having to set up noscript for all my friends and then whitelist their banks and shit so that stuff still works.
4. Re:scripting in a document is bad by Anonymous Coward · 2015-05-02 15:09 · Score: 1
  
  Javascript doesn't belong on the internet, neither does advertising or html5 or flash or any of that other fluff. The web should be only plain text and maybe a few images, I might even allow animated gifs. By the way, who's the asshat that put a pdf viewer in my web browser? Bunch of god damn fruit loops.
5. Re: scripting in a document is bad by Billly+Gates · 2015-05-02 16:47 · Score: 1
  
  Really?
  There are sites that function without js in 2015?? Please, I do not use no script as it requires a crappy browser and UAC controls the hell out of me to allow. The ads are far less annoying.
  Seems adblockers are the more realistic option
  
  --
  http://saveie6.com/
6. Re:scripting in a document is bad by Tablizer · 2015-05-02 18:05 · Score: 1
  
  scripting does not belong in documents!
  Microsoft should invent Inactive-X
  
  --
  Table-ized A.I.
7. Re:scripting in a document is bad by holostarr · 2015-05-02 18:07 · Score: 1
  
  Then stick to Lynx, the rest of us will continue to enjoy our dynamic web pages where the whole page doesn't need to load just to see if you have a new email, or reply to a comment, or the sub total of your pizza based on how many toppings you added...
Liability by Ryanrule · 2015-05-02 11:25 · Score: 1

again, as I have said before, make sites fully liable for their content. Including ads. They can self host, or fuck off.
So not only is CB Spamming Morons by Khyber · 2015-05-02 11:33 · Score: 1

CB also appears to be very insecure spamming morons.
Good Job, CareerBuilder. Do you ever wonder why I tell people to avoid you like the plague?

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Obvious question--can we ask it? by Jiro · 2015-05-02 12:17 · Score: 1

Is Dice vulnerable to this attack as well?
Hard to sympathize by Ancil · 2015-05-02 13:15 · Score: 1

Microsoft fixed the underlying vulnerability over a year ago.. Less than a month after it was first reported.
Do people really run computers with security patches turned off?
Computers connected to the internet?
Computers which are primarily used to open files emailed by random strangers?
Erm by cascadingstylesheet · 2015-05-02 13:23 · Score: 3, Insightful

It's a Word doc. This has always been a "vulnerability". You are soliciting Word docs, for heaven's sake.
"Please send me files, which like all files, might be infected" is not a "cyber-attack".
Re:I love blowing my load inside of a vagina. by JustOK · 2015-05-02 14:51 · Score: 1

white priviledge

--
rewriting history since 2109
Recursion Expert by Tablizer · 2015-05-02 17:58 · Score: 3, Funny

WANTED: Security expert to help patch the problems caused by our search for security experts.

--
Table-ized A.I.
Re: There are sites that function without js by Anonymous Coward · 2015-05-02 23:17 · Score: 1

There are sites that function without js in 2015??
Yep. Like the one you where reading and posted your comment on. Like Google. Like most other websites.
Only a few refuse* to work without JS. And for most of them you are the product, not the customer.
*Yes, refuse. They certainly can work without it, but choose not to. And often most of their JS has got little to do with their sites content, and much do to with "content enhancing offers" (read: advertisement spam) and user-tracking (and other stuff thats definitily not there to benefit you).
Of the remaining JS the most is dedicated to making the site look "hip" or "flashy", without adding anything to (the understanding of) the actual content.
And to link back to this threads origin, personally I regard running JS thats included in random webpages as similary stupid as opening random .DOC files (or other "text"-documents containing scripting).
tl;dr: The "must have JS running" sites are often as moronic as the Flash-only sites of yesteryear