CareerBuilder is the latest Internet phishing victim. Researchers at security Relevant Products/Services-as-a-service firm Proofpoint discovered a phishing campaign that targets job posters on the site.

Here’s how Proofpoint described the attack Relevant Products/Services: When a job hunter submits a resume to a listed job opening, the CareerBuilder service automatically generates a notification e-mail to the job poster and attaches the document. The attacker uses a Microsoft Word document to deliver malware, the firm said.

While this approach is more manual and requires more time and effort on the part of the attacker, the firm said the probability of the e-mail being delivered and opened is higher. When the user opens the Word file, it downloads and unzips dangerous malware on the individual's computer. Since victims are expecting e-mails with attachments from CareerBuilder, the attackers have an easy way in. CareerBuilder could not immediately be reached for comment but Proofpoint said the company is aware of the issue and is working to shut down the attack.

“This inventive combination of effective delivery with a very stealthy infection routine enables attackers to evade automated defenses and fool skeptical end-users,” Proofpoint said. “Instead of a new employee, the victim organizations welcome a dangerous piece of malware. . . . This clever attack demonstrated techniques similar to those now used for URL-based campaigns, but this time to deliver malicious attachments, and exemplifies the practice of piggybacking on legitimate e-mail services and sites in order to trick wary end-users and compromise targeted businesses.”

A Tried-and-True Approach

We caught up with TK Keanini, CTO of context-aware security analytics firm Lancope, to get his thoughts on the event. He told us the CareerBuilder breach shows how attacks are becoming less direct and more advanced.

“Attackers prey on the deterministic behaviors of systems where they can predict future action. Before clicking on any attachment, users everywhere need to understand to what degree it is authentic and how well they know the originating source,” Keanini said. “The default should be to not trust any attachment. While the Internet connects you to great resources, it also connects you to crime.”

Ken Westin, a senior security analyst at advanced threat protection Relevant Products/Services firm Tripwire, pointed to the 2015 Verizon Data Breach Incident Report, which illustrated phishing is still a top attack vector -- primarily because it is still effective.

“Attackers find creative ways to exploit our trust in brands we are familiar with either through making e-mails or Web sites appear to be associated with the brand, or finding ways to leverage the brand’s own systems to deliver malware,” Westin told us. “This approach is tried and true as it provides attackers with a way into networks, even those that have strong perimeter defenses.”

Analyzing the Attack

Brett Fernicola, CISO of data Relevant Products/Services security company STEALTHbits Technologies, told us the CareerBuilder phishing discovery demonstrates why definition-based security products are creatures of the past. You would think that a Word document designed to take advantage of a known exploit would trip some type of definition pattern, but in many cases it will not, he said.

So where do we go from here? How do consumers and enterprises protect themselves from the unknown? Fernicola argued the best one could hope for is quick discovery and containment.

“Humans are quickly becoming the weakest security link in today’s organizations, it’s only a matter of time until someone makes a mistake,” he said. “So if we assume the inevitable how do we quickly discover and contain the threat? Well in a large organization gaining access to a single PC is just the starting point.”

If all the attacker did was data mine resources from that single PC, Fernicola said they probably wouldn’t get too much valuable information -- unless that attack was an extremely successful and targeted spearphishing attack. That’s why the next move of the attacker is to slowly -- and without detection -- start branching out and probing the internal network from the infected machine for other resources they may have access to, he explained.

“This is hopefully where you catch the attacker, we already know antivirus is not getting it done, so we need to understand what is normal behavior for this user or PC,” Fernicola said. “By monitoring authentication traffic in Active Directory and applying the proper analysis any hosts that have gone rogue should stand out like a sore thumb.”