In the ever-evolving cybersecurity landscape, attackers are constantly refining their tactics to exploit new vulnerabilities. A recent report highlights a concerning trend: cybercriminals are now targeting recruiters with the More_Eggs backdoor, a sophisticated malware.
Cybercriminals have traditionally targeted job seekers, but the latest spear-phishing campaign marks a significant shift. By impersonating job applicants, adversaries aim to deceive recruiters into downloading malicious files.
The attack begins with a seemingly innocuous email from a fake job applicant. The email, crafted to gain the recruiter’s trust, initially contains no attachments or URLs. Once the recruiter engages, they receive a follow-up email that includes attachments in .lnk or .zip file format. When the attachment is opened and/or the ZIP file is unpacked, the recruiter is directed to a malicious website housing a resume. To make it more plausible and create a superficial sense of security, the site is protected by a CAPTCHA.
In the last five years, online resumes have gained traction. They are appealing for simple editing, rich and flashy context, and portability. The candidate does not have to send any attachments and can just point the recruiter to the hosting website. Think of it as LinkedIn but for resume publishing. In this attack, the resume is posted on a site controlled by the attacker that serves the malware to any user who visits it.
Takeaways:
- Avoid vising any websites for resume preview and insist on a hard copy of the resume to be sent in Adobe PDF format (preferred)
- A resume sent in any format other than MS Word or Adobe PDF should be a red flag
- Opening the attachment should not prompt any action. If you are asked to enable any functionality or security features in Word or PDF, run away
- MS Word resume sent with .docx or .docm should be a red flag
As cybercriminals continue to innovate, organizations and individuals must stay vigilant and adopt robust security measures. Recruiters, HR personnel, and hiring managers, in particular, should be aware of these new tactics and exercise caution when handling job applications.
#ALTACyber
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------