Websense Security Labs reports that the attached ZIP is an executable malware file directing to the Oficla bot. “This connects to a URL in the davidopolko.ru domain for its [command-and-control] functions”, the firm noted in a security blog posting. Once downloaded, the malware brings up a warning box telling users their machine has been infected by a trojan, followed by the download and installation of a rouge anti-virus called ‘Security essentials 2010’.
Websense said the spam is quickly proliferating, as its security lab saw more than 230 000 samples in just four hours this morning.
Graham Cluley, Sophos senior technology consultant , warns staff to be cautious if receiving an unexpected email with what appears to be a resume/CV attached.
Cluley says the emails, which are short and to the point, have the following characteristics:
Subject: New resume
Attached file: Resume_document_459.zip
Message body: Please review my CV, Thank you!
"Hmm.. hardly the most convincing job application I've ever seen – they haven't even given any clues as to which role they might be applying for", said Cluley in his security blog posting last night. "However, you or some of your users might still be tempted to open the attached CV to see if it sheds any more clues as the point of the communication", he added.
Sophos' Cluey went on to say that, if you do make the mistake of opening the attached Resume_document_459.zip file, you run the risk of infecting your Windows computer with malware.
Sophos' research teams, he says, are intercepting the threat proactively as Troj/Invo-Zip and Mal/EncPk-NS.
“HR departments are used to receiving CVs over email and this kind of malicious activity is indicative of the modern-day hacker”, added Carl Leonard, EMEA security research manager for Websense. “The broad-brush approach to seeding malware is now out of favor; fraudsters know they can infect more computers, and steal more data, if they use techniques that fit the target.”