Not all email-based attacks appear to come from families of deposed despots, sellers touting miracle drugs, or shipping companies reminding you of a delivery. Some look like hapless individuals looking for a job. And in this economy, we all know at least one person who sends resumes to everyone they know in hopes of landing an interview.

But as Cloudmark said in its latest Tasty Spam submission, "Don't be tempted by unexpected resumes." They can bite you, hard.

Cloudmark recently saw a ransomware campaign delivered in the form of a fake resume, researcher Andrew Conway said. The attack itself is not straightforward and the recipeint has to open the malicious file several times, but it's still effective enough that many victims have been impacted.

Conway described the campaign's various steps:

The attack email comes from a Yahoo! Mail account and has a file purporting to be a resume attached. Conway pointed out the four warning signs in the message: it was an unsolicited message; the sender didn't provide a last name; the resume was sent as a .zip file; and there are errors in errors in grammar, punctuation, or spelling.

"Someone genuinely submitting a resume would proofread their work," Conway said.

When the recipient opens the .zip file, he or she will find an html file with a name like resume7360.html. The fact that the resume is in .html format is another red flag, considering most resumes are sent as text, PDF, or Word documents. "Of course, it's a bad idea to open unsolicited PDF and Word files as well," Conway said.

A sample of the attack HTML file looks like this:

When the recipient tries to open the file, the browser would try to load the url in the IFRAME tag. "It's the same as forcing the user to click on a link," Conway said, noting that in this case, the link points to a compromised web server. The URL loads yet another HTML file, which has a redirect link pointing to a Google Docs link.

The redirect uses a meta refresh tag, which is typically used to update the content of a Web page in real time. A meta refresh to a Web page on a different domain is usually malicious. Most people would use HTTP redirect or JavaScript to accomplish this, not a meta refresh. Just for your information, the HTML from the compromised landing page looks like this:

The Google Docs link downloads another zip file called my_resume.zip, and it contains a file with a name like my_resume_pdf_id_8412-7311.scr. "A file randomly downloaded off the Internet. Danger, Will Robinson!" said Conway.

The .scr suffix is for Windows screen savers, but they are essentially specially formatted executable files for Windows. The .scr extension is frequently used to deliver malware to unsuspecting users. When the victim opens the .scr file, that triggers the ransomware. All their files are encrypted and they are presented with a bill of hundreds of dollars to get them back again.

Conway raised an interesting point about this ransomware campaign. The attacker had to take so many convoluted steps because modern antivirus and spam filtering tools are effective enough that the only way to succeed is to chain together multiple steps to bypass the defenses. If you feel like you have to jump multiple hoppos just to view a resume, that should be a warning that something is amiss. Maybe that person behind the email isn't really interested in a job.

Further Reading

Security Reviews