Throughout much of the world, finding a job has been a taxing ordeal over the last few years as the effects of the Great Recession have played themselves out in global economies. In addition to a huge supply of applicants chasing a relatively small number of positions, job seekers have also had to deal with the two-edged blade of the Internet. On the one hand, the Internet makes looking for specific openings a much easier process than it was when people had to comb through newspaper classified or check local bulletin boards. On the other, online postings can attract a deluge of submissions (all you need is an Internet connection, after all), making it hard to stand out even with a good résumé and cover letter.
To make things even more complicated, general career websites have become natural targets for cyber criminals because they receive so much traffic. For example, CareerBuilder.com is the 364th most popular website in the U.S. (in 1,408th place worldwide) according to Alexa stats as of May 22, 2015, and Monster.com is even higher at 255th (874th globally). Moreover, the sheer amount of correspondence that can come from these types of sites creates a natural opening for phishing campaigns, such as the one that recently involved CareerBuilder.
Why CareerBuilder.com was an ideal setting for a phishing campaign
Career sites will usually email members with information about their profiles and registration, as well as opportunities that may be relevant to any information they have entered into the system. All in all, this can add up to a fairly consistent stream of messages that may all seem routine and unremarkable. Such emails may also come with attachments (e.g., a Microsoft Word Document or a PDF).
All the ingredients are present for an effective phishing attempt:
- Messages of high importance/urgency, in this case about career prospects.
- A specific sender that the recipient is looking for (i.e., CareerBuilder) and that can be spoofed.
- Attachments that could be modified to carry malware that would steal sensitive information.
“[O]ne of the most common phishing lures is done via email,” explained a recent Trend Micro document. “It could take the form of anything that bears urgency or distress. Phishing emails appear to be from a legitimate sender. To make it appear so, cybercriminals use forged logos, signatures, and text and use deceptive subject lines. The messages are attractive and often come with a promise, a prize, or a reward, in exchange for a registration or a login of some sort that gets the user’s information or online credentials.”
This is almost exactly what happened in the CareerBuilder incident revealed in early May 2015. Each time a CareerBuilder.com user would apply to a job opening, the organization that originally posted the position would receive an immediate fake reply with an attached document that was laced with malware. The attack angle was effective in large part because companies were actively expecting to receive attachments such as résumés, cover letters and references from applicants.
Phishing remains a popular tactic because it flaunts many traditional forms of security and directly goes after the end user. For example, many definition-based tools are not well suited to catching something like a malicious Word Document that might be too innocuous to trip up any pre-established definition. The first and only layer of defense becomes a recipient’s discretion in opening an email attachment or clicking a link.
What happens when a phishing attack succeeds?
The high-profile incident with CareerBuilder is apparently already being addressed. Still, the success of the phishing tactic in this case is a good opportunity to think about what happens after someone falls for a compromised attachment or malicious link.
Back in 2012, Trend Micro estimated that spear-phishing was involved in more than 90 percent of advanced persistent threats. Along similar lines, the security researchers who uncovered what happened to CareerBuilder highlighted how the infection of a single machine by something like a malware-laced attachment could lead to broader surveillance of an enterprise’s network.
These types of APTs are low and slow and could go on for weeks, months or even years. They are beyond the reach of typical antivirus tools and may only be discoverable through network security tools that closely monitor traffic patterns. Basically, an organization has to know what constitutes “normal” before it can determine what is abnormal with regard to network activity.
Similarly, extensive training may be required to help everyone in the organization recognize unusual attributes of emails and documents. It’s important to remember that spear-phishing has become a leading concern for enterprises because, simply put, it works. Going after a specific target and taking as many measures as possible to play to their background, habits and sensibilities is much more effective than the types of massive spam campaigns that many individuals have learned to tune out.
Speaking at a conference at the University of Texas Center of Identity earlier this year, legendary fraudsters turned cyber security expert Frank Abagnale pointed to the growing sophistication of phishing attacks. Whereas targets once dealt with implausible “Nigerian prince” scams built around dividing up millions of fictional dollars, now they are confronted with much more subtle and believable missives.
What to look out for if you think you are being phished
What happened with CareerBuilder is just one possible form this could take. There’s also the possibility of a message purporting to be from a government agency, saying that the recipient must reply immediately or face the prospect of a court hearing and/or jail time. Or, the phishing attempt could be disguised as an “account status” update from a major Web company like Facebook or Google, telling the recipient that they just need to confirm a specific detail about an account.
Fortunately, some of these messages, like a spate of ones claiming to be from PayPal, are caught by spam filters in services like Gmail. In other cases, like with what transpired with some businesses posting jobs to CareerBuilder.com, malicious correspondence is not automatically filtered and must be assessed by the actual recipient.
How can enterprise CIOs and their teams reduce the risk of a successful phishing campaign? A good starting point would be to review what types of information they make available online. The abundance of publicly accessible emails, logos, etc. provide would-be attackers with plenty of resources for imitating the look and feel of official messages, as well as selecting vulnerable targets.
A 2012 Trend Micro white paper determined that half of spear-phishing recipient emails were findable via Google searches, and that many of the ones that weren’t could be figured out by using some form of first and last name and the company’s domain. Keeping closer control over email information may be effective for reducing exposure to phishing.
Network security tools should also be implemented alongside traditional measures like antivirus. Security teams need solutions that can evaluate patterns against baseline activity and catch APTs before they do significant harm to an organization by stealing large amounts of data. What happened to CareerBuilder should be a lesson in how phishing has become more creative, requiring smart policies and capable tools for defense.