sb-eu logo
Story image

New phishing campaign disguises malware as CV attachments

04 Jun 2020

Organisations are being warned about bogus CVs being sent to workplace emails, containing malicious files attached in Microsoft Excel format.

Researchers at Check Point have blown the whistle on the phishing campaign, which begins with the subject line ‘applying for a job’ or ‘regarding job’ and features an attached file, which if opened, launches the ZLoader malware.

This malware then attempts to hijack private information, credentials from users of targeted financial institutions, and passwords and cookies stored in web browsers. Attackers can then exploit these acquisitions to make financial transactions.

It comes as resume or CV-themed scams have doubled in the past two months, with one out of every 450 malicious files reported involving CVs. It’s part of a wider campaign by cyber attackers across the world to exploit the worldwide crisis by any means necessary.

“As unemployment rises, cyber criminals are hard at work,” says Check Point manager of data intelligence Omer Dembinsky.

“They are using CVs to gain precious information, especially as it relates to money and banking. I strongly urge anyone opening an email with a CV attached to think twice. It very well could be something you regret.”

As jobs are lost across the world as a direct result of the COVID-19 pandemic, threat actors have seized on the opportunity, with Check Point reporting the registration of 250 new domains containing the word ‘employment’ in May alone.

Researchers found that 7% of these domains were malicious and another 9% suspicious. 

In the same month, Check Point witnessed an average of more than 158,000 COVID-19-related attacks each week. When compared to April, this is a 7% decrease. 

Domains names referencing ‘coronavirus’ or ‘COVID-19’ continue their status as hot property, with the registration of 10,704 domains of this nature in the past four weeks - 2.5% of them were malicious (256) and another 16% (1,744) suspicious, according to Check Point.

Researchers have also discovered a trend in malicious medical leave forms. 

Leading with the subject line ‘The following is a new Employee Request Form for leave within the Family and Medical Leave Act (FMLA)’, and coming from seemingly credible domains like ‘medical-center.space’, victims were lured into opening malicious attachments.

Once opened, victims were infected with what researchers call IcedID malware, a banking malware that targets banks, payment card providers, mobile services providers, as well as e-commerce sites.  

The malware’s aim is to trick users to submit their credentials on a fake page, which are sent to an attacker’s server.