Friday, September 19, 2008

CareerBuilder Latest Digital Certificate Malware Target

CareerBuilder.com has joined the list of brands targeted by a criminal who spams the news of a new "Digital Certificate" said to protect customers. The spam emails claim that by running a Setup Wizard for the "Microsoft Windows Live ID Certification service", customers will protect themselves better. In reality, its a piece of malware called a "keylogger" that will infect customer machines, and share what they type with criminals seeking login credentials for this online job-hunters site.

The UAB Spam Data Mine received more than 400 copies of the spam yesterday, which used twenty different subject lines to advertise eleven webservers which would carry out the compromise when visited.

The dangerous websites look like this:



These are the subjects used in the nefarious emails:

CareerBuilder Commercial Customer Service
CareerBuilder Employer Security PlusSM
CareerBuilder Employer Services
CareerBuilder Employer Services Contacts
CareerBuilder is dedicated to protecting your privacy
CareerBuilder Job posting Services
CareerBuilder offers a full array of job posting
CareerBuilder Security and Identity Protection
CareerBuilder Security PlusSM Guards and Protects Your Information
CareerBuilder Security PlusSM uses a wide variety of fraud
CareerBuilder's pad lock and encryption features help to ensure you
Employer- CareerBuilder
Employer Services (CareerBuilder at Work)
Employer: With CareerBuilder Security Plus keeping your financial information
Employer: With CareerBuilder Security Plus we regularly monitor accounts through
How does CareerBuilder protect your information
How does CareerBuilderm protect your privacy and personal information
Visit a CareerBuilder Employer Center
What is CareerBuilder Employer Security PlusSM

The websites which are being used by these campaign are currently these:

bniyime.com
btyonro.com
chortom.com
ggolrrle.com
nbviox.com
njieme.com
vcveebnu.com
veeimor.com
vertumru.com

Update!


We reported the bad guys domains, and they were all shut down. Did that stop our bad guys? No. They went and made another batch! We've received 444 more copies of this campaign, now using THESE domain names, created today...

adwornee.com
beriupe.com
carertre.com
mieppeeei.com
pystshdoll.com
uscarer.com




UAB Computer Forensics personnel shared information of the new attack with CareerBuilders fraud prevention staff last night, and are working to terminate these domains immediately.

This is the latest in a family of "Digital Certificate" malware which we've been following since at least May. Some of the other columns we've done on this topic are listed here for your convenience:

Digital Certificate Alert! - May 6th article about the Colonial Bank, Comerica, and Merrill Lynch Digital Certificate Malware

Anti-Virus Products Still Fail on Fresh Viruses - August 12th article using the largely undetectable "Colonial Bank" Digital Certificate Malware as an example

Banking Digital Certificate Malware in Spam - August 30th article about the Bank of America and SunTrust Digital Certificate Malware

The domains above are hosted using "Fast Flux" technology, where the nameservers for the domains are constantly updated so that at any given moment there are at least ten "bot" computers (home users who are already compromised) who act as "Proxy web servers" to complicate the task of finding the actual server. We've already identified more than 200 IP addresses which will resolve these domains.

The same Fast Flux network is also hosting the "Walker & Sons" work-at-home scam to recruit "Money Mules". We warned about this type of scam last week in our column, "Work at Home . . . for a Criminal?". In the current Walker & Sons scam, which has used more than a dozen domain names all registered at "123-reg.co.uk", the Money Mule position is described like this:


Financial Coordinator

Job summary :

As a regional Financial Coordinator for our company you will be responsible to administer customer payments. You will help to fasten customer settlements and payments delivery. You will participate in internal and external company funds flow to speed up maturity of bills and other transactions. We need you to support our international team to be able to raise capital, attract more and more customers and expand into new economical markets and assist in the development of the company in general.

Responsibilities:

Deal with order and bill payment projects
* Receive and manage customer payments and any other business payments ( your existing accounts is to be used for the trial period of first three customer payments and a business account to be opened especially for the company needs in the future)
* Implement calculations regarding each new coming payment project to be dealt with
* Ensure the high-speed delivery of the funds to the final destination through Western Union or Money Gram quick collect services
* Be in a tight collaboration with the Head Office and report directly to the Finance Manager

Required skills and experience:
* Excellent project management skills
* Written and verbal communication skills
* High School diploma or equivalent preferred
* Excellent time management skills
* Excellent organizational and communication skills
* Capable of managing multiple projects and prioritizing deadlines

This position offers part employment (1-2 hours a day) and net 10% commission
If you are interested in this opportunity, click the Apply Now! button.


See the key phrases I've highlighted? You'll be receiving stolen funds into your personal checking account, and then using Western Union and Money Gram to withdraw these funds and ship them overseas. The proper title for this job is "Money Launderer", and holding this job is a crime. If you've been duped into this job, you need to contact law enforcement and explain your situation.

Some of the many domain names being used for this scam include:

salker.co.uk
salker.me.uk
salker.org.uk
swalkeer.me.uk
walkeer.co.uk
walkeer.me.uk
walkeer.org.uk
wallker.co.uk
walsoon.org.uk

CareerBuilder.com is a fine, safe place to find a job. But LOGIN TO THEIR WEBSITE by typing its URL in the browser. Don't follow links in email messages that take you there.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.