No one can say that hackers don’t have a sense of irony.

In search of money mules, attackers behind a variant of the Zeus Trojan have configured the malware to activate when users visit careerbuilder[.]com with code that redirects victims to an advertisement for a mule-recruitment website.

Researchers at Trusteer spotted the scheme in a recent Zeus configuration file and determined the man-in-the-browser attack was trying to redirect visitors to marketandtarget[.]com, which has since gone dark. The rogue site promised hot jobs and had a splashy layout that also included some spotty grammar and punctuation. It also referenced Premier Marketing & Targeting, another scam site, according to Trusteer fraud prevention solutions manager Etay Maor.

Maor said this is the first use of HTML injection he’s seen that adds a link to another part of the fraudulent process rather than attempting to steal data or credentials. Zeus is banking malware that uses HTML injection targeting a particular online banking application. When the user logs in to their account, the malware will hijack the session and steal credentials, payment card information or other sensitive personal data.

“In this case, we witnessed a rare usage that attempts to divert the victim to a fake job offering,” Maor said. “Because this redirection occurs when the victim is actively pursuing a job, the victim is more likely to believe the redirection is to a legitimate job opportunity.”

Career websites are popular targets for attackers, especially those recruiting money mules who are willing or unwitting participants in the scam and aid attackers in cashing out stolen money.

“I’ve seen career sites targeted for seven, eight years now and are usually targeted from within, meaning that I’ve seen attacks where people who are part of a financial scam will post jobs and recruit mules,” Maor said. “I’ve also seen criminals create resumes on websites and within site, and add a link to a drive-by infection page where the user is infected with malware that grabs credentials.”

The initial infection vector is unclear. Generally, Zeus is spread via drive-by downloads or via email attachments or links. Some Zeus variants as well as other financial malware have also made use of man in the browser attacks before.

Man-in-the-browser attacks are used in many financial fraud operations. Malware on the computer, in this case, tries to lure surfers to a malicious website. In other attacks, however, the attacker will spy on banking transactions and be sent data strings containing credentials or account information in order to wipe accounts clean unbeknownst to the user. Other attacks will use man-in-the-browser to pretend to be a security check from the bank, while in reality, the malware steals transaction authorization numbers sent to a mobile device, for example, via SMS as a second form of authentication. These are unlike man-in-the-middle attacks where an attacker will sniff traffic and steal credentials, encryption keys or other information in a network packet.

Categories: Web Security