By Dave Michmerhuizen, Security Researcher
Barracuda Labs spam monitoring systems have detected a targeted blended attack against human resources professionals. The attack is carried out via spam messages that are presented as a resume from a job applicant.
While we've written about resume spam before, these messages are particularly well written and the attachments very well engineered such that they do not appear suspicious. All of the samples received so far have all been deliberately addressed only to personnel agencies and human resource departments.
Opening the ‘resume' brings up a cunningly crafted word document.
There is no text in this document at all. The only content is an embedded spyware executable with a caption. The caption tries to convince you that Microsoft Word has crashed. It explicitly instructs you to double-click on the icon to reload and restart msword.
If you do double-click anywhere on this icon or its caption you are actually extracting the spyware from the document and running it. You do get a security warning, but since the “error message” warned you that you would be restarting Word it might be easy to overlook that.
Click ‘Run' and you've just installed Trojan.SpyEye on your computer. This nasty program hides in the background and monitors your Internet traffic looking for usernames and passwords. Every few minutes it sends what it has to a command and control server, in this case a computer hosted in Israel.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these spam emails. The Barracuda Web Filter, and/or the Barracuda Web Filtering Service block the traffic involved in this attack.