If you're in any kind of business there's a good chance you have to deal with resumes on a daily basis, especially if you're a manager or Human Resources professional. While you probably delete that Viagra ad and ignore the promise of Nigerian riches, when a resume hits your inbox, you read it.
Spammers know this and have been increasingly presenting malware as if it were a resume, hoping that the recipient will be so curious about a potential applicant that they open or run something that they shouldn't.
The Barracuda Labs spam monitoring center has detected a recent increase in the amount of this fake resume spam from multiple sources. While the messages are similar, the threats they carry are all different. Here are three cautionary examples…
One common feature of these fake resumes is that the spammer keeps the message short and sweet, hoping you'll open the attachment to see if this is that one resume they've been waiting for.
Of course in this case better grammar would help make the sale. This particular message contains an HTML attachment, something our honeypots have seen a great deal of in the past week. HTML attachments are less likely to be filtered by email scanning software that might otherwise reject binary attachments by default, and even end users who are conditioned not to open and run programs might look at a HTML file and think that it is harmless.
Except that this HTML is anything but harmless.
and sends you off to a bogus antivirus site.
Don't open suspicious HTML attachments. Email the sender and ask for the information in a different format, such as a Word document or text file.
Since the Rich Text Format (RTF) is handled by Windows Wordpad and Microsoft Word, you wouldn't necessarily be surprised to get an email with a resume in that format
However, it is possible to completely embed an executable program within an RTF document, and that's what we have here.
When first opened the filename of this embedded object only partly displays. Still, clicking on it does display a security warning that should make you think twice. After all, a resume doesn't normally need to be “Run”.
If you do click run, nothing seems to happen. However, if you're watching your internet traffic you'll see the telltale signs of a Zeus Trojan infection.
A Zeus trojan will quietly examine your internet traffic looking for usernames and passwords, and then send them back to criminals who use them to take over online accounts. Many cases of online banking fraud involve passwords stolen by this malware family.
The last example has the most convincing message text, and the file name of the attachment includes a persons name, making it look less threatening
But once you've opened the .zip attachment the alarm bells should be ringing.
A careful check of the properties of the file inside shows it is an executable, and clicking on it would run it. As we said above, resumes do not normally need to be “Run”. Doing so just installs a fake antimalware named SecurityTool onto your computer.
If you or your colleagues handle resumes be careful of unsolicited or unanticipated resume emails. Examine any resume attachments carefully before opening them, and as we repeatedly stress, never press the “Run” button unless you are certain that is appropriate – it rarely is.
Barracuda Spam & Virus Firewall customers are protected from these attacks.
Dave Michmerhuizen – Barracuda Labs