Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Windows IT

CareerBuilder Cyberattack Delivers Malware Straight To Employers 48

An anonymous reader writes: Security threat researchers Proofpoint have uncovered an email-based phishing attack which infected businesses with malware via the CareerBuilder online job search website. The attack involved the hacker browsing job adverts across the platform and uploading malicious files during the application process, titling the documents "resume.doc" and "cv.doc." Once the CV was submitted, an automatic email notification was sent to the business advertising the position, along with the uploaded document. In this case, Proofpoint found that as a business opens the automatic email from CareerBuilder to view the attached file the document plays on a known Word vulnerability to sneak a malicious code onto the victim's computer. According to the threat research group, the manual attack technique although time-consuming has a higher success rate than automated tools as the email attachments are more likely to be opened by the receiver.
This discussion has been archived. No new comments can be posted.

CareerBuilder Cyberattack Delivers Malware Straight To Employers

Comments Filter:
  • Serves them right! (Score:5, Interesting)

    by Grishnakh ( 216268 ) on Saturday May 02, 2015 @05:34PM (#49602571)

    That's what these morons get for demanding resumes in .DOC format instead of PDF. I don't need someone else editing my resume, especially an employer I'm submitting it to. So why do they want it in an editable format rather than a format which is specifically designed to be read-only and to appear exactly the same no matter what device you view or print it on?

    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday May 02, 2015 @05:37PM (#49602587) Homepage Journal

      That's what these morons get for demanding resumes in .DOC format instead of PDF.

      Ah yes, the ultra-secure PDF, which has never been a vector for malware.

      • by antdude ( 79039 )

        So, we go back to plain ASCII text format. Unless that has it too. :/

    • If you prefer to use PDFs for *security* reasons then you're an idiot. PDFs have been the attack vector for a crapload of malware.
      • If you don't understand the concept of software monoculture, then you're an idiot.

        Here's a clue, moron: Adobe Reader isn't the only way to view PDFs.

        • Adobe Reader can view PDFs instead of just freezing the computer solid and then crashing? Well, whodathunkit?
    • Hmmm, "exactly" the same? Well, if the person producing the PDF remembered to include the appropriate parts of the fonts. (I was trying to make head or tails of a PDF from a geology journal last night. All the diagrams completely labelled with uninformative square "don't have a glyph" glyphs.)
  • by Gravis Zero ( 934156 ) on Saturday May 02, 2015 @06:13PM (#49602849)

    it was a novel idea and i'm sure it solves some problems but having scripting in a document format is simply has too high a price to pay. scripting does not belong in documents!

    • Re: (Score:1, Troll)

      it was a novel idea and i'm sure it solves some problems but having scripting in a document format is simply has too high a price to pay. scripting does not belong in documents!

      I'll let all the guys doing web pages know. I guess we'll have to figure something else out.

      • by gstoddart ( 321705 ) on Saturday May 02, 2015 @07:26PM (#49603165) Homepage

        Honestly, though, giving web designers access to scripting on the client side has produced a LOT of shit code and security holes.

        So, if you're in the business of letting all the guys know, can you tell them to stop being so incompetent at security?

        Because the average web developer seems to be pretty stupid and useless when it comes to writing code which doesn't want to become a gaping security hole.

        kthanksby.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        I'll let all the guys doing web pages know. I guess we'll have to figure something else out.

        We wish you would. You've made the web neigh well unusable without noscript. I have to block javascript by default and just whitelist a few things to even tolerate the web a little bit.

        So yes, PLEASE, let them know. I'm tired of having to set up noscript for all my friends and then whitelist their banks and shit so that stuff still works.

        • by Anonymous Coward

          Javascript doesn't belong on the internet, neither does advertising or html5 or flash or any of that other fluff. The web should be only plain text and maybe a few images, I might even allow animated gifs. By the way, who's the asshat that put a pdf viewer in my web browser? Bunch of god damn fruit loops.

          • Then stick to Lynx, the rest of us will continue to enjoy our dynamic web pages where the whole page doesn't need to load just to see if you have a new email, or reply to a comment, or the sub total of your pizza based on how many toppings you added...
        • Really?

          There are sites that function without js in 2015?? Please, I do not use no script as it requires a crappy browser and UAC controls the hell out of me to allow. The ads are far less annoying.

          Seems adblockers are the more realistic option

          • There are sites that function without js in 2015??

            Yep. Like the one you where reading and posted your comment on. Like Google. Like most other websites.

            Only a few refuse* to work without JS. And for most of them you are the product, not the customer.

            *Yes, refuse. They certainly can work without it, but choose not to. And often most of their JS has got little to do with their sites content, and much do to with "content enhancing offers" (read: advertisement spam) and user-tracking (and other stuff th

    • by Tablizer ( 95088 )

      scripting does not belong in documents!

      Microsoft should invent Inactive-X

  • again, as I have said before, make sites fully liable for their content. Including ads. They can self host, or fuck off.
  • CB also appears to be very insecure spamming morons.

    Good Job, CareerBuilder. Do you ever wonder why I tell people to avoid you like the plague?

  • Is Dice vulnerable to this attack as well?

  • Microsoft fixed the underlying vulnerability over a year ago.. Less than a month after it was first reported.

    Do people really run computers with security patches turned off?
    Computers connected to the internet?
    Computers which are primarily used to open files emailed by random strangers?

  • Erm (Score:4, Insightful)

    by cascadingstylesheet ( 140919 ) on Saturday May 02, 2015 @08:23PM (#49603355) Journal

    It's a Word doc. This has always been a "vulnerability". You are soliciting Word docs, for heaven's sake.

    "Please send me files, which like all files, might be infected" is not a "cyber-attack".

    • Le sigh. "Flamebait".

      My point is that you are soliciting files. "Send me files", you say.

      They just now figured out that files might be infected?

  • by Tablizer ( 95088 ) on Sunday May 03, 2015 @12:58AM (#49604195) Journal

    WANTED: Security expert to help patch the problems caused by our search for security experts.

If all else fails, lower your standards.

Working...