Many organizations utilize their website, third-party job boards or e-mail as a way to screen prospecting employees. What if we told you Microsoft Word documents and Adobe PDFs could host malware or be weaponized to attack your endpoints? It is worth investigating how your candidate information is being stored and presented to your HR team..
Creating a fake name and a resume that contains the requirements for your position is not difficult. Many job boards look for specific keywords matching your needs to gather a list of candidates for you. With this in mind, it would be of trivial effort for an attacker to utilize this information in an effort to target your organization with spyware, such as keyloggers, and Remote Desktop Monitoring software, or even ransomware disguised as resumes and cover letters.
Keyloggers such as AgentTesla and Remote Access Trojans (RATs) can be covertly installed on the victim’s computer system through the use of legitimate Word documents and PDF files. Keylogging or keyboard capturing is an exploit that allows the attacker to record keys struck on a victim’s keyboard, without their awareness. From here, data is then retrieved by the attacker to allow the compromise of the security of the victim’s computer.
Let’s perform a thought experiment to explore the same scenario, only with respect to ransomware, to further exemplify the magnitude of what is being conveyed here.
An unassuming human resources employee, we’ll name her Carol, works for a large corporation. Carol reviews resumes and cover letters for potential candidates on a daily basis. Suppose an attacker, disguised as a job candidate, attaches an executable ransomware file, disguised as a resume. Microsoft Windows, a commonly used operating system, has a function that will, by default, hide the extension of known file types. (i.e. a file such as resume.doc.exe, will read to the unassuming victim as resume.doc.) As a function of habit, Carol is none the wiser and opens the file. Once opened, there is the strong possibility that every single file on the Carol’s computer would be encrypted where she would no longer have access to it. Ultimately, Carol’s data could be withheld, often for a fee or ransom.
Considering the responsibility of the HR team, this would undoubtedly include a plethora of personally identifiable information (PII) from all employees, company-wide. Information including resumes, driver’s licenses, SIN numbers, health data, case files, resignation letters, termination letters, and the list goes on.
To add insult to injury, most large organizations have a shared/common drive which would also be vulnerable to the attack. One can only assume the havoc this could inflict on client data and workplace productivity.
As part of the November 1 changes to the Digital Privacy Act, will be mandate the disclosure of breaches and may impose fines up to $100,000. To find out more on how you can protect yourself from such threats, please contact us for more information.