CareerBuilder Cyberattack Delivers Malware Straight To Employers

An anonymous reader writes: Security threat researchers Proofpoint have uncovered an email-based phishing attack which infected businesses with malware via the CareerBuilder online job search website. The attack involved the hacker browsing job adverts across the platform and uploading malicious files during the application process, titling the documents "resume.doc" and "cv.doc." Once the CV was submitted, an automatic email notification was sent to the business advertising the position, along with the uploaded document. In this case, Proofpoint found that as a business opens the automatic email from CareerBuilder to view the attached file the document plays on a known Word vulnerability to sneak a malicious code onto the victim's computer. According to the threat research group, the manual attack technique although time-consuming has a higher success rate than automated tools as the email attachments are more likely to be opened by the receiver.

Serves them right!

[Grishnakh]

That's what these morons get for demanding resumes in .DOC format instead of PDF. I don't need someone else editing my resume, especially an employer I'm submitting it to. So why do they want it in an editable format rather than a format which is specifically designed to be read-only and to appear exactly the same no matter what device you view or print it on?

Re:Serves them right!

[drinkypoo]

That's what these morons get for demanding resumes in .DOC format instead of PDF.

Ah yes, the ultra-secure PDF, which has never been a vector for malware.

Re:Serves them right!

[drinkypoo]

Both should be scanned by the job site. Neither is encrypted, and both are being re-served to clients, so a scan should have been done.

If they were half as smart as they think they are, they'd demand plain text. It doesn't hide malware unless you save it to a file and double-click it. Who gives a shit about what font a resume is in? They can buy the layout.

scripting in a document is bad

[Gravis+Zero]

it was a novel idea and i'm sure it solves some problems but having scripting in a document format is simply has too high a price to pay. scripting does not belong in documents!

Re:scripting in a document is bad

[gstoddart]

Honestly, though, giving web designers access to scripting on the client side has produced a LOT of shit code and security holes.

So, if you're in the business of letting all the guys know, can you tell them to stop being so incompetent at security?

Because the average web developer seems to be pretty stupid and useless when it comes to writing code which doesn't want to become a gaping security hole.

kthanksby.

Re:scripting in a document is bad

I'll let all the guys doing web pages know. I guess we'll have to figure something else out.

We wish you would. You've made the web neigh well unusable without noscript. I have to block javascript by default and just whitelist a few things to even tolerate the web a little bit.

So yes, PLEASE, let them know. I'm tired of having to set up noscript for all my friends and then whitelist their banks and shit so that stuff still works.

Erm

[cascadingstylesheet]

It's a Word doc. This has always been a "vulnerability". You are soliciting Word docs, for heaven's sake.

"Please send me files, which like all files, might be infected" is not a "cyber-attack".

Recursion Expert

[Tablizer]

WANTED: Security expert to help patch the problems caused by our search for security experts.