Malware-laced CVs Steal Banking Credentials from User’s PCs
June 2020 by Check Point
Researchers at Check Point have spotted malicious files masquerading as CVs. The files, attached in Microsoft Excel format, were sent via email with subject lines: “applying for a job” or “regarding job”. As victims opened the attached files, they were asked to “enable content”. After enabling, victims were given the infamous ZLoader malware, a banking malware designed to steal credentials and other private information from users of targeted financial institutions.
The malware can also steal passwords and cookies stored in victim’s web browsers. With the stolen information in hand, the malware can allow threat actors to connect to the victim’s system and make illicit financial transactions from the banking user’s legitimate device.
Overall, Check Point researchers have seen an increase in CV-themed scams in the United States. In the past two months, the number of malicious files in CV form doubled, making 1 out of 450 malicious files identified related to a CV file, exploiting the Coivd-19 layoffs and remuneration schemes.
Malicious medical leave forms
In addition, Check Point researchers spotted malicious medical leave forms. The documents, using names such as “COVID -19 FLMA CENTER.doc“, infected victims with what researchers call IcedID malware, a banking malware that targets banks, payment card providers, mobile services providers, as well as e-commerce sites. The malware aims to trick users to submit their credentials on a fake page, which are sent to an attacker’s server, in addition to authorization details that can be used to compromise user accounts. The documents were sent via email with subject lines: “The following is a new Employee Request Form for leave within the Family and Medical Leave Act (FMLA)“. The emails were sent from different sender domains like “medical-center.space” , in order to lure victims into opening the malicious attachments.
Omer Dembinsky, Manager of Data Intelligence at Check Point said: “As unemployment rises, cyber criminals are hard at work. They are using CVs to gain precious information, especially as it relates to money and banking. I strongly urge anyone opening an email with a CV attached to think twice. It very well could be something you regret.”
Coronavirus-related cyber-attack statistics
• In May 2020, 250 new domains containing the word “employment” were registered. 7% of these domains were malicious and another 9% suspicious
• 1 out of every 450 malicious files identified is a CV scam, which is double the amount of CV scams in the past two months
• 16% increase in malware attacks when compared to the period between March and April, when coronavirus was at its peak.
• In May 2020, Check Point witnessed an average of more than 158,000 coronavirus-related attacks each week. When compared to April, this is a 7% decrease.
• At the past 4 weeks, 10,704 new coronavirus-related domains were registered. 2.5% of them were malicious (256) and another 16% (1,744) suspicious
How to Stay Protected
To stay safe, remember these golden rules:
1. Beware of lookalike domains. Watch for spelling errors in emails or websites, and unfamiliar email senders.
2. Beware of unknown senders. Be cautious with files received via email from unknown senders, especially if they prompt for a certain action you would not usually do.
3. Use authentic sources. Ensure you are ordering goods from an authentic source. One way to do this is NOT to click on promotional links in emails, and instead, Google your desired retailer and click the link from the Google results page.
4. Beware of “special” offers. “An exclusive cure for coronavirus for $150” is usually not a reliable or trustworthy purchase opportunity. At this point of time there is no cure for the coronavirus and even if there was, it definitely would not be offered to you via an email.
5. Don’t use the same password. Make sure you do not reuse passwords between different applications and accounts.