September 22, 2008
People with an account on Careerbuilder.com who receive an email
offering an improved "security certificate" should immediately delete
it, say researchers at the University of Alabama Birmingham. They say
its an effort to steal the user's log in credentials.
The researchers at UAB's Spam Data Mine say they received more than 400 copies of the spam email in a 24-hour period last week. The CareerBuilder.com malware was especially interesting, said Gary Warner, Director of Research in Computer Forensics.
"We've seen a long list of banks abused by this malware promising better security with Digital Certificates, but this is the first employment company targeted for this criminal's scam," Warner said.
"By stealing CareerBuilder credentials the criminals will be able to make more believable job offers, and will be able to know who is actively seeking a job. They already have login credentials for banking sites, but they need to recruit more 'Money Mules,' which is what investigators call the victims who are tricked into sending the money out of the country."
Warner's investigations, which he describes in his blog, CyberCrime & Doing Time, have revealed that the same criminals stealing these CareerBuilder accounts are attempting to convince desperate job seekers to work as financial assistants.
In fact, these financial assistants receive a commission for receiving stolen funds into their personal bank accounts and then transferring the funds to the criminals via Western Union or Money Gram.
Warner calls that "a sign that money laundering may be part of their new job." Warner and his team of researchers have been tracking this malware family since May. The current campaign also links to work-at-home scams being hosted on the same IP addresses as the CareerBuilder malware.
UAB's Spam Data Mine collects millions of e-mail messages used to provide investigators with spam intelligence and determine new attack methods.
