Recruiters auto-forward trojan-infected resumes

Customers of an Australian recruitment firm have been targeted with resumes that are booby-trapped with a backdoor trojan.

Customers of an Australian recruitment firm have been targeted with resumes booby-trapped with a backdoor trojan.

Hackers are exploiting an email-forwarding feature offered by many recruitment firms, which automatically sends relevant resumes to customers when a new applicant uploads their CV to the recruitment firm's website.

Security firm MessageLabs first detected the scam after blocking an outbound Word (RTF) document from the recruitment company, a customer of MessageLabs. The Word document included an embedded PDF file, containing details about a candidate claiming to apply for an accounts officer position — but it also contained an executable file which installs a backdoor trojan on recipients' PCs.

The recruitment company was blocked by MessageLabs from auto-forwarding the email, which would have reached every single customer seeking similar candidates and appeared to originate from a trusted source.

Hackers are attempting to take advantage of the trust between the recruiter and the business, according to MessageLabs.

"There's a potential threat for anyone who has that feature set up because there's an expectation that when you sign up to the service that you won't receive threats and an expectation that you will receive clean email," a spokesperson told ZDNet.com.au.

The technique is a twist on older scams. In September last year, MessageLabs detected a spike in attacks targeting businesses by sending C-level employees emails claiming to offer recruitment services. The emails also contained RFT documents that were embedded with malicious screen saver files.

F-Secure senior security specialist Patrik Runald said recently that the perfect attack would be a zero-day attack using a rootkit-cloaked trojan sent to an HR manager who, due to company policy, would be compelled to open the document.

He told ZDNet.com.au: "These are scary cases because it's really hard to protect yourself against. We have to run Office and we have to allow Word, RTF, PowerPoint and Excel files through. It shows that signature based antivirus is not enough — you need more technology than that."