How Hackers Infect Resumes to Target HR Data

By Aliah D. Wright May 8, 2015

Hackers are uploading resumes infected with malware to job boards in an attempt to gain access to valuable HR data, according to researchers at the security company Proofpoint.

“Proofpoint threat researchers recently detected a clever e-mail-based attack that combines phishing and social engineering techniques in order to trick users into opening a malicious document,” the company states on its website. “In this attack, [a hacker] browses open positions listed on, a popular online job search and recruiting service, and attaches resumes to job postings as malicious documents in Microsoft Word format.”

The hacker typically attaches infected Word document resumes to IT job positions in finance and engineering with titles such as “middleware developer,” “business analyst” or “web developer.”

The problem arises, KnowBe4 security software CEO Stu Sjouwerman writes on his blog, when “CareerBuilder automatically sends a notification e-mail to the company that posted the ad, along with the resume attached to it. CareerBuilder helps deliver the malicious payload, which is likely to slip past defenses, because it is concealed inside an image.”

“When HR [or a recruiter] opens the e-mail and next the attachment, the document tries to exploit a known vulnerability in Word to place a malicious binary on the user’s system. The binary then contacts a command and control server, which downloads and unzips an image file, which in turn drops a backdoor dubbed Sheldor on the victim’s computer,” Proofpoint said in a blog post describing the attack.

Jennifer Sullivan Grasz, vice president of corporate communications for CareerBuilder, told SHRM Online in an e-mail response: “CareerBuilder has been investigating the situation,” and that the site “follows incident response protocols, investigating the scope and type of attack with the help of third-party experts kept under contract, and sharing information with affected customers.”

Grasz said, “Providing a secure experience for our clients is very important to us. CareerBuilder has controls in place to stop mass distribution of applications to job postings and takes a variety of preventative measures.” For security reasons, she declined to go into specifics about those measures.

What’s HR to Do?

“HR professionals should participate more in security discussion organization-wide to ensure everyone remembers the most vulnerable and valuable part of security: people,” said Margaret Walker, senior marketing specialist and a member of the HR committee for Cohesive Networks, an IT security company.

“HR should review its external candidate communications channels, to reinforce awareness of the role that career websites and resume services play in the enterprise’s candidate identification processes,” added Brian Huntley, information security officer at IDT911, an identity protection solutions company. He told SHRM Online that “once empowered by this knowledge, HR should ensure that employees who handle these electronic documents are maximally aware of this new threat, and keenly sensitive to their central role in adapting their document handling practices and risk detection skills to respond to its emergence.” He noted that all employees should be made aware of the threat as well.

More specific preventative steps include the following:

“What we recommend is putting in a few technical controls to mitigate concern of downloading a malicious resume,” said Max Aulakh, chief security architect at Ignyte Assurance Platform , a security services firm.

“First and foremost, the HR professional should speak to his or her IT security person to ensure all attachments have been scanned by a virus scanner prior to downloading. This technical control can be automated and it will only catch known attacks, given that virus definitions have been kept up-to-date.”

Aulakh also recommends companies perform update security procedures for the Windows operating system and regularly update the security in the Microsoft Office suite. “Specifically, the IT security administrator should disallow execution of any VBScript code or macros by default that might be potentially embedded or hidden inside of the MS word documents. The ‘hardening of the environment’ will protect the user from the attacker taking advantage of known vulnerabilities inside of the operating system,” he said. “Resumes can also come in PDF format—it is very important to keep Adobe or any third-party application up-to-date. The hardening process completed by the IT security professional should include configuring minimal privileges necessary for the HR user so if someone does download a malicious file, it executes with the lowest level privileges [rather] than administrative privileges. These are some of the best defenses out there and also cost-effective.”

In his blog, Sjouwerman also recommends “that anyone who opens resumes from job boards only uses the Google Chrome browser view option and does not download any actual documents.”

He writes that companies should also deploy “an automated resume parsing solution (there are a few) which will take the brunt of the malware threat as part of their service.”

Aliah D. Wright is an online editor/manager for SHRM.

Job Finder

Find an HR Job Near You
Search Jobs


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.