Criminals are using resumes to hide malicious payloads in a business climate that has seen hundreds of thousands of individuals searching for jobs. According to new research, the fake CVs disguise banking trojans and data stealers in macros within Microsoft Excel files. Researchers at Check Point Software say that a new campaign of Zloader malware has been part of an overall doubling of resume-based subterfuge in the last two months. A similar campaign involving the TrickBot loader hides within an attachment labelled as a family leave request within the parameters of the Family and Medical Leave Act.
Malware campaigns like this one are a constant reminder about the need to keep operating systems, software, and antivirus and anti-malware applications updated on a regular basis. It also points out the need for increased employee education about how to safely use email and how to avoid clicking links or opening attachments from unknown sources.
Macro attacks in Microsoft Office documents have been used by hackers for many years to distribute malware. More recent versions of Microsoft Office projects open documents with macros disabled and prompt users to turn them on. I suspect many recipients of these documents agree to allow macros without fully realising what macros are or what danger they present. If you don\’t need macros, don\’t turn them on. You can disable macros entirely by going to File > Options > Trust Center > Trust Center Settings > Macro Settings > Disable All Macros Without Notification. This will prevent the recipient from accidentally allowing macros to run.
Ideally, employers shouldn\’t open attachments or click on links in any unsolicited email, but when accepting resumes, that\’s not always a possibility. With that in mind, businesses might want to isolate the device used to receive resumes from the rest of the office network, use strong antivirus and spam filters, implement DMARC, and disable macros.
We\’re seeing criminals use more and more clever techniques to deliver malicious payloads through a variety of phishing attacks leveraging the COVID-19 pandemic. Using resumes or official requests for leave are particularly devious as HR receives many attachments on a daily basis. Security awareness and training can be extremely helpful in assisting staff in identifying where an attachment may be suspicious. Furthermore, technical controls should be put in place, such as isolating those email boxes which receive external resumes from sensitive HR systems so that if an attachment is opened, it doesn\’t impact the whole organisation.
These kinds of scams are getting increasingly sophisticated in the ways that they masquerade as legitimate sources. Cybercrime is often opportunistic. We\’ve seen criminals taking advantage of all kinds of changes in online behaviour since the start of COVID-19. While anti-phishing software can help stop many of them, others will always get through. The greatest defence when it comes to phishing threats is educating yourself and your employees on how to spot the signs of an attack. People should be on the lookout for spelling and grammatical errors, overpromising and eager messaging, pop-ups and urgent deadlines or calls to action. They should also look carefully at who the email is from. Phishing attempts often use the name of someone they know (a colleague or friend, for example) but with the wrong domain address.
One of the aspects of phishing that makes it so tricky to defend against is that attackers are constantly adapting the tactics they are using to lure people in. Taking time to educate yourself and others on a regular basis on current phishing threats, is an important part of avoiding these attacks.