Are you Hiring? Resume Malware Trying to Get to You!

SCMagazine has the story “Hiring? New scam campaign means ‘resume’ downloads may contain malware”

“Requiring the victim to copy and paste the malicious domain name increases the likelihood the emails will make it past secure email gateways. Plus, with unassuming domain names like “wlynch[.]com” for a candidate named William Lynch and “annetterawlings[.]com” for a candidate named Annette Rawlings, the emails are less likely to raise alarm bells than those from free email providers like Gmail or Yahoo.”

What happens if one wants to look at these ‘resumes’? Even if they seem a bit shady?

Is it enough to have proofpoint review the contents and deem it safe?

the threat actor even forces a CAPTCHA on the unsuspecting victim…:

“Users who did not “pass” the checks would be sent to a page containing a plain text resume, while those who “passed” were directed to a page where they could download a ZIP file after completing a CAPTCHA prompt.

“CAPTCHAs are typically used by threat actors to ensure a real person is receiving the content and not automated threat detection like sandboxes,” Larson explained.

The downloaded ZIP file contains a LNK file disguised as the candidate’s resume that, when executed, kicks off installation of the more_eggs backdoor.”


Having many layers of defense can make it difficult for an attacker to circumvent, but not impossible as you can see. My book discusses layers of defense – “Too Late You’re Hacked”


And the Guidebook:

Making sure of where one is going before clicking on it is a good idea to prevent phishing attacks, and also do not copy and paste an email until you verify.  Learning on how to verify an email is a good idea.