Malware disguised as resumés, applicant pools filled with bots, fake job offers that serve malware, or steal personal information...

It's rough out there, for HR and job hunters alike.

I read this article from Hacker News today, about a phishing attack that was recently uncovered, although scams like it have been around for years.  In this scam, the threat actors apply for jobs and send a link to download a resumé, which will also download a bunch of malware.

This sort of scam has a flip side, too:  as I was writing this blog, a story broke about a new Windows malware named 'Warmcookie', which is distributed through personalized emails containing fake job offers. Clicking the email leads to a legitimate-looking landing page, where you are asked to download the job description. Unfortunately, clicking that will download Warmcookie insted.  Warmcookie installs a backdoor into infected machines, "capable of extensive machine fingerprinting, screenshot capturing, and the deployment of additional payloads."  intended to surveil and breach corporate networks. Unfortunately, this isn't an exactly new idea, either: in 2023, a long-running campaign by a North Korean threat group was discovered, called "Operation Dream Job" that targeted defense and nuclear engineers with fake job opportunities, but beginning the " job interview" would download a payload of malware instead. 

It got me thinking about all the other instances I've seen recently of job related scams - (there's so many variants, I might need to make this a whole series of blog posts!) and it almost makes you wonder how anyone is actually getting hired at all.

Thankfully, none of them are as terrifying as this report, of thousands of people being lured to Southeast Asia with the promise of jobs, only to be kidnapped, trafficked, tortured, and forced into running online scams in inhuman labor camps.

So what is the takeaway?  How do we protect ourselves and our companies?

• If a job offer comes seemingly out of the blue, or a new job posting seems too good to be true, it probably is.  If you think it is legitimate, do your due diligence and thoroughly investigate the company and the people hiring before replying to the offer or post.
• On the HR side, never go to someone's webpage to download their resumé. Ask applicants to submit a resumé to you, and be very careful about what file types you accept.  One way to filter it automatically would be to accept resumés through an online file uploader, set to only accept txt, docx, and pdf files.
• If you suspect you are the victim of a scam, report it! Report it to your local police, and the FBI's Internet Crime Complaint Center (IC3) at: https://www.ic3.gov/Home/ComplaintChoice
  



This post is 100% written by a real person, who has read all of the articles referenced within.