The coronavirus crisis has provided fresh opportunity for online scammers to target newly unemployed and financially vulnerable workers, and now employers as well.
Expect to see a spike in hacking and fraud attempts, as the circumstances make for convenient Trojan horses in the shape of fake resumes for companies, fake job offers, fake unemployment sites, and fake mortgage offers for individuals.
Initial attacks targeted weak home internet security and capitalized on people’s fear of the novel coronavirus. The next wave of scams target Americans by going after their stimulus checks and unemployment benefits.
Just before the outbreak, cybersecurity firm Prevailion uncovered a scam in Germany. In the scam, a very sophisticated hacker organization sent malware in attachments to a company’s HR department designed to get past standard phishing-software.
Typically, companies are instructed not to open attachments coming from outside the organization, but the type of email created a unique problem: they were disguised as job applications.
“It’s one of those rare occasions where an criminal defense law firm in Dallas attachment begs to be clicked on, and the company has to,” Karim Hijazi, founder and CEO of Prevailion, told Yahoo Finance. “People don’t want to put their resumes in the text-based body of an email. It’s not common.”
HR departments routinely field virus-laden emails, according to Oren Falkowitz, CEO and co-founder of Area 1, a phishing-defense company. About one in every 100 emails that comes in has a phishing component.
“Primarily these phishing campaigns embed malware into Microsoft Word or Adobe PDF file formats,” said Falkowitz. “They can also include links to malicious websites.”
These are often untargeted attacks, but sometimes they’re from sophisticated players, like nation-states. Recently, Area 1 uncovered attempts by Iran to phish Saudi Aramco’s supply chain.
What Prevailion, which detects when an infiltration has been executed, has found is that the group that used the scam on the German HR department has managed to get into universities, hospitals, and companies.
This scam, which Prevallion attributes to a sophisticated group, is able to get past good phishing software because the malware is new — and expensive — and therefore isn’t yet on the virus lists that filters use. There’s also usually a significant delay from the moment of infiltration to the moments when a scam is revealed to the victim — if it ever is — making detection of an intruder difficult to ascertain.
So far, the group has only detected this specific resume scam in Germany — before the coronavirus crisis — but Hijazi thinks it’s likely more widespread, especially now.
“This campaign is not activity-specific to coronavirus, but this is likely to increase now,” said Hijazi. “Whereas individuals will be easy targets for job offer scams, companies will be easy targets for job inquiry scams. Quite frankly, the adversary seems to be adapting to the crisis du jour.”
A good lure
Success in hacking is all about having a good lure, Hijazi says. For something like a CV/resume email scam, it’s hard to defend if it gets past phishing software because it looks like a normal business communication.
It’s also about having a good fish, and this scam definitely has that. A human-resources department usually has broad access to the company’s inner workings, and hackers know that, making it an especially lucrative target.
Falkowitz said fake resumes can be especially effective because HR departments are used to receiving emails from people outside the company that they don’t independently know or can verify.
In a German resume, Prevailion found that baked into the file was malware that could execute remote file transfers, send credit card data and secure credentials, as well as capture the screen and even voice recordings. Another, in a Microsoft Inc file, contained a ransomware component.
“A lot of really universally powerful tools can be deployed this way,” said Hijazi.
While Prevalion’s honey pots have only caught emails meant for companies, Hijazi and other cybersecurity researchers like Larry Pargman of Binary Defense say that the labor market’s chaos could result in people opening fake job offer emails.
“It is reasonable to expect more and more fake job offers used for many types of scams, including lures to install malware,” Pargman said on Twitter.
Pargman was responding to another grift: scammers on a Polish website offering fake loans as well as fake job offers.
The full scope of all of this activity will take a long time to ascertain, however. “We’re probably not witnessing the effects,” said Hijazi. “We’re seeing the dormant infection stage. The more you hear about jobless claims the more this becomes more viable.”