We recently heard about a Trojan that uses job applications as a means for spreading malware. As our company is looking to hire more people in the coming months, our security team is worried we could be a target. Are the defenses against such targeted attacks roughly similar to those against other social engineering attacks (e.g., employee awareness), or are there other tactics we can also use?
The FBI issued a warning Jan. 19, 2011, about attacks using the Bredolab Trojan to target businesses advertising job postings. Job searching systems have been vehicles for malware attacks and phishing previously, such as in the USAJOBs attack from 2009. The best defenses against attacks using the Bredolab virus spreading Trojan are similar to those used against other social engineering attacks or malware.
One of the recommendations in the FBI warning is to check all email attachments for viruses prior to opening them. This is sound advice when you need to open attachments from people you do not know, but, given the current state of antivirus software, you may want to ensure you are using multiple antimalware products when performing these checks to minimize the chance that targeted malware goes undetected. You may even want to have this check done automatically on the resume submission system so the resumes are scanned before users can even open the files.
There are other tactics that could be used to secure the system of the person initially receiving resumes. Some potential defenses include automatically converting files to different formats, such as Word documents to PDFs and PDFs to JPGs. Converting the document to a different format can prevent, for example, an attack from exploiting a flaw in Word because the file will be running in your PDF reader, or an attack on your PDF reader because the file will be running in your image viewer. Once the converted resume has been manually reviewed, the original source could be used with caution. Also, for businesses that search resumes for keywords prior to review, the parsed document could be used for the initial review before using the original source. You could also open files on a terminal server or virtual machine to determine whether any particular file is malicious, as this would prevent it from having access to the local system or, potentially, to the network, should it be infected with malware.
This was first published in August 2011