A Closer Look at HR Scams: Does Niceness Have a Downside?



A Closer Look at HR ScamsThreat actors are targeting HR employees who are looking to hire new people, according to Lisa Vaas at Contrast Security. As part of their job, HR employees frequently interact with people outside of the organization and are more likely to open external files. Attackers frequently take advantage of this by hiding malware within phony resumé files.

Vaas cites Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, as saying in a talk at RSAC that North Korean threat actors are particularly fond of this technique.

“[One thing] that's been really interesting to watch is their attempts to infiltrate organizations remotely by trying to actually get hired inside of these companies, particularly in the web3 crypto space, where they're responding to advertisements,” Alperovitch said. “They're saying they're willing to do remote development work. They're saying they're from ‘a’ Bay Area, although in many of the interviews they failed to identify even the most common locations in ‘the’ [San Francisco] Bay Area.”

Attackers use job-listing and networking sites such as LinkedIn to identify potential targets.

“They’re still having a tough time actually passing these interviews, but they don’t have to pose as Bay Area natives when it comes to packing resumés with malware,” Vaas writes. “One example: In April, eSentire research showed that new phishing attacks, targeting corporate hiring managers, were delivering the more_eggs malware, tucked into bogus CVs. These campaigns sprang up a year after potential candidates looking for work on LinkedIn were lured with weaponized job offers: The offers dangled malicious ZIP archive files with the same name as that of the victims' job titles, as lifted from their LinkedIn profiles.”

Niceness, to be sure, is a good thing, everything else being equal. But it can also render you vulnerable to scams and cons. Every employee needs to know that they should never click the “Enable content” button in a Microsoft Office document. New-school security awareness training can teach your employees how to avoid falling for phishing attacks.

Contrast Security has the story.


Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Save My Spot!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/kmsat-request-a-demo

Subscribe To Our Blog


Anti-Phishing Guide ebook




Get the latest about social engineering

Subscribe to CyberheistNews