Freelance workers targeted in new malware campaign

Updated: Malicious macros are being spread in a campaign targeting job seekers on freelance and casual work platforms.

Cyberattackers have turned their attention towards freelance workers in a new campaign which is spreading malware via malicious documents masquerading as job briefs and offers.

According to MalwareHunterTeam, the scheme has been discovered on both Fiverr, a freelance services marketplace, and Freelancer.com, a platform which offers the services of freelance workers to millions of businesses.

Freelancers, casual workers, and international contractors often rely on emails and communication over the Internet not only to retain relationships with employers but also to find and secure new opportunities.

As a result, emailed communication and document attachments are commonplace. Unfortunately, it is this standard practice that cybercriminals are now targeting.

CNET: Trump OKs 'offensive cyber operations' as deterrent against US rivals

MalwareHunterTeam's campaign email examples do not appear suspicious. They ask the intended victim to check an attached document and then get back to the attacker with a "cost and time frame."

However, a keen job hunter in one case on Fiverr opened the document and discovered that the file was malicious. In another example on Freelancer, the cybercriminal sent over "My details.doc," which also contained malware.

In the latter example, the intended victim had an antivirus solution installed and so the infection was detected.

screen-shot-2018-09-24-at-10-28-44.png

TechRepublic: Account takeover attacks ramping up, leading to explosion of phishing

The security researcher says "dozens of people" have been contacted this way on the platforms.

"And he actually spend[s] [the] time to reply to everyone who told him something wrong / not opens / etc, asking what is wrong, explain what to do (or in other words, how to get infected...)," MalwareHunterTeam added.

screen-shot-2018-09-24-at-10-27-51.png

It appears that the documents contain macros which can then be used to download malware payloads. This is a common technique threat groups utilize in attempts to infiltrate PCs.

Chinese-speaking LuckyMouse, for example, has been connected to campaigns that use malicious documents embedded with macros which exploit a known Microsoft Word vulnerability in order to hijack systems.

See also: Magecart claims another victim in Newegg merchant data theft

If you have unpatched systems, your operating system is not up-to-date, and macros are enabled, you may be at high risk of such attack vectors -- especially if you are opening documents sent by unknown individuals.

However, disabling macros and installing some kind of real-time threat monitoring and antivirus solution will help mitigate the threat of exploit, especially when your business requires you to contact individuals you do not know.

Fiverr told ZDNet:

"Operating across 190 countries and with millions of community members, Fiverr uses the latest anti-fraud and data security measures to protect everyone who relies on our platform against malware and other attacks.

Any attempts to publish or send malicious content with the intent to compromise another member's account or computer environment is strictly prohibited on Fiverr, and we act aggressively against it."

Freelancer.com said in a statement:

"Freelancer.com has over 30 million users in more than 247 countries, regions, and territories around the world, all of whom are protected by a range of the most up to date and sophisticated security and quality assurance measures available.

Any activity that breaches the Freelancer.com terms and conditions, including inappropriate or fraudulent activity on the marketplace, will not be tolerated in any form, and immediate action will be taken against people found to be engaging in such activity."

Previous and related coverage