back to article Ransomware scum: 'I believe I'm a good fit. See attachments'

Criminals are posing as job applicants to drop ransomware into human resources departments. The ransomware vector contains two attachments. One is a harmless PDF cover letter designed to convince the human resources operative that the criminal's email exchange is legitimate. A second Excel spreadsheet attachment contains the …

  1. Anonymous Coward
    Anonymous Coward

    I don't have the 1.3 bitcoins

    Will you take 1.3 bits instead?

    Thanks!

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't have the 1.3 bitcoins

      It took me some time with a Dremel but now I have 1.3 Coin bits, where do I mail them?

      1. Anonymous Coward
        Anonymous Coward

        Re: I don't have the 1.3 bitcoins

        In many companies HR people are the most technically illiterate people in any organization. Not only are they a perfect target for ransomware, they also won't know what a bitcoin is.

  2. a_yank_lurker

    Macros

    Macros have been a security problem since the start of the web. That is a bit of functionality that needs to be replaced for those situations where they might actually be useful. I can not see why any HR department needs to enable macros for any documents. In fact, outside some bean counters I seriously doubt that macros are necessary. Even for the bean counters I would recommend learning how to avoid using macros.

    1. Anonymous Coward
      Anonymous Coward

      Re: Macros

      Excel macros can be kept in their own workbook - independent of any data. The data to be processed by the macros is then loaded as separate workbooks.

      Therefore you only enable macros for the loading of that trusted macro workbook***. Any data file that wants macros enabling is thus still flagged as a risk.

      ***It is assumed that MS Office still allows selective enabling of specific workbooks. Which is remembered to avoid users getting "click happy" on enable prompts.

    2. Anonymous Coward
      Anonymous Coward

      Re: Macros

      Any executable code has been a security problem since well before the internet, and it isn't just HR and bean counters that uses Excel.

      I write macros because the things I need to calculate are either difficult, cumbersome or impossible to express in terms of the built in functions of Excel, but translate rather elegantly into VBA.

      1. BongoJoe

        Re: Macros

        I write macros because the things I need to calculate are either difficult, cumbersome or impossible to express in terms of the built in functions of Excel, but translate rather elegantly into VBA.

        That's me too. In some of my spreadsheets it's more than just mere 'macros' but properly constructed code and I would say that 99% of the stuff I write code for just isn't practical or possible with the front end of Excel.

        Sometimes I use the COM interface to get the data out but quite often it's better to have the code within Excel and run it there. It also has the advantage that I can give the sheet to someone else and ask them if they can see the Date/Time in a certain cell. If they can then I know that it's "installed correctly" and it will run without having to go through endless installation routines and the like.

        Anyway, as far as I am concerned macros isn't the same as VBA: it's not even in the same league and this morning I was working on a circular linked list with three sets of pointers and try doing that and what it's used for by anything via the Ribbon.

    3. Mark Simon

      Re: Macros

      The real problem with Microsoft Security is that it’s just shifting the blame. If you disable macros, it won’t work. If you enable them, it’s your fault when things fall apart.

      I haven’t worked with Microsoft products for some years now, which is why my sanity is slowly returning to me.

      When Microsoft first released VBA for their applications, they enabled the first cross-platform viruses (Mac & Windows running the same evil code). Their solution was not to fix the problem, but simply to ask your permission to run the code.

      One thing Microsoft has never understood is the concept of sandboxing macros. The majority of VBA I have developed is solely to enhance functionality within the document, and has no need to gain access outside of it. With Microsoft security, if you write a macro to automate adding a new worksheet, you need to grant permissions to interact with the whole operating system.

      I mean, what were these guys snorting when they implemented this and called it Security? The correct solution is to enable two levels of enabling macros: sandboxed and superuser.

      1. Anonymous Coward
        Anonymous Coward

        Re: Macros

        "The majority of VBA I have developed is solely to enhance functionality within the document, [...]"

        My Excel VBA macros live in their own workbook. They operate on data in a separate set of master workbooks to control the extensive processing and creation of hundreds of workbooks and Word documents. The current main run also uses Selenium/Chrome to enable the Excel macros to browse hundreds of web pages to extract raw data from them.

        That latter step is the one that could introduce malware into the PC - but that is the weakness of the browser not the Excel macro system.

        1. Hans 1
          Boffin

          Re: Macros

          There is no excuse for macros. Re-write them as PowerShell of VisualBasic scripts ... data files are designed to host DATA, NOT PROGRAMS, keep data and program logic apart and you will never have a problem.

    4. Anonymous Coward
      Anonymous Coward

      Re: Macros

      Can't macro security options be locked down through GPOs? If a company needs to deploy its own macro, can't it sign them?

      Also, if those big mail providers are so good at identifying ransomware (probably just after it hit enough users), why don't they publish hashes or the like in a public backlist? Or are they just trying to use it to lure more customers into their cloud services?

      1. veti Silver badge

        Re: Macros

        Word macros can be really useful. I used to use them to format documents for publication, they saved countless hours of gruntwork there.

        But on the other hand, any applicant who wants me to enable macros in a document they sent to me - well, let's just say they're not likely to be a good fit, on the grounds that they're an idiot. Anyone who's sophisticated enough to use macros has no excuse for not knowing why that's a dumb idea.

  3. Oengus

    Experience with HR

    This would fail miserably with our HR as they couldn't follow the instructions to enable Macros.

    Also from my experiences 90% of our HR wouldn't notice that their files were encrypted.

    1. Dr Scrum Master

      Re: Experience with HR

      You never know, HR with encrypted local drives might end up improving the effectiveness of the organisation.

      (But with all of these things it's like assassinating Hitler - you don't know if someone worse or more effective would take his place.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Experience with HR

        > you don't know if someone worse or more effective would take his place

        You just need someone who realizes that a landwar in Asia is not a good idea.

        1. Anonymous Coward
          Anonymous Coward

          Re: Experience with HR

          > You just need someone who realizes that a landwar in Asia is not a good idea.

          Inconceivable!

    2. Anonymous Coward
      Anonymous Coward

      Re: Experience with HR

      The main challenge I have is a lack of sympathy for HR, but I'm not a fan of criminals either.

      Difficult choice :)

  4. Anonymous Coward
    Anonymous Coward

    Gotta love these guys: Scammers / Hackers / Cyber-Crims

    ~ Talk about relentless and creative. They're the ones winning the data wars...

    ~ Politicians don't get it. Too old / Don't own necessary tech to see the problems.

    ~ Corporations sleep walk us to the Power of Nightmares (IoT Edition). ...

    ~ Regulators lack enforcement powers and when they do they don't know what to do.

    ~ Mass media remains blissfully ignorant in a US style election coma.

    ~ At this rate, scammers will soon run the entire net, forget ICANN...

    1. Anonymous Coward
      Anonymous Coward

      Re: Gotta love these guys: Scammers / Hackers / Cyber-Crims

      .. which is why you should always assume you're on your own, assume law enforcement is just as bad and protect accordingly.

      No excuses.

  5. kain preacher

    I shed not a tear. Now can we get this to the PHB?

  6. whoseyourdaddy
    Facepalm

    Again? sh?t...

    So this is why the only applicants we find are those who can survive two hours bending to the will of the Applicant Tracking System, Taleo, without blowing their brains out in frustration.

    "What was your favorite color in high-school?"

    All that time spent pimping the formatting on our MSWord resumes is waaasted. Waaaysted, I tell you.

  7. Magani
    FAIL

    Why Excel?

    What sentient human could possibly think that any CV or job application would need a spreadsheet to get their message across?

    Oh, we're talking HR here, aren't we?

    1. Dave 126 Silver badge

      Re: Why Excel?

      Indeed. When I applied for a job at Dyson, they wanted my CV to be in plain text, pasted into a web form. Seemed sensible enough. Also, it meant no applicant required a Word licence, or would have to cross their fingers that Libre Office formatting would be rendered correctly at the recipient's end.

      If I had needed to send them photographs of my work, I could have just included a link to a reputable designer's portfolio hosting site.

    2. BongoJoe

      Re: Why Excel?

      I believe that HR may think that an Excel attachment will contain pictures of designer shoes or similar.

      .

      1. Loud Speaker

        Re: Why Excel?

        Designer cat videos WITH PONIES!

  8. Stuart Elliott
    Facepalm

    Enquiring minds want to know...

    Did they get the job though?

  9. Inventor of the Marmite Laser Silver badge

    "one threat actor leveraging the German CV campaign"

    WTF is wrong with "one threat actor using the German CV campaign"

    1. Dan 55 Silver badge
      Coat

      Re: "one threat actor leveraging the German CV campaign"

      He's synergising a known pro-active solution that has been proven in the field to gain result-driven wins.

      1. Vic

        Re: "one threat actor leveraging the German CV campaign"

        He's synergising a known pro-active solution that has been proven in the field to gain result-driven wins.

        I'll upvote, but I really hate you now...

        Vic.

    2. Anonymous Coward
      Anonymous Coward

      Re: "one threat actor leveraging the German CV campaign"

      So, out of work actors are becoming hackers rather than baristas?

  10. Doctor Syntax Silver badge

    "These services have gotten very good at quickly identifying new ransomware campaigns and sending the offending emails to the junk folder."

    From experience I'd say there's a very effective way of getting spam through Microsoft's filters: pretend it came from them.

    Identifying stuff quickly still leaves an interval during which a good number will get through.

  11. Anonymous Coward
    Anonymous Coward

    A little bit torn with my opinion...

    Of course I don't condone this and those asshats should be taken care off by law enforcement.

    But on the other hand I also couldn't help grin a little bit: "Here's hoping those Enterprise bosses didn't outsource their IT departments". Because that is in my opinion the other side of the medal.

    It is definitely no excuse, but yeah...

  12. Zippy's Sausage Factory

    People still accept MS formats in attachments?

    I think I just spotted the problem there...

    1. Doctor Syntax Silver badge

      Re: People still accept MS formats in attachments?

      "I think I just spotted the problem there..."

      You were being distracted. The problem was HR.

  13. Stevie

    Bah!

    Dear sir, please find attached a link to my CV.

    Yours,

    Britney Spears-Naked (Ms)

  14. TeeCee Gold badge
    Meh

    Well whoop-de-do

    .....consumer webmail providers like Google and Microsoft tweaked spam filters to filter out much of the inbound menace.

    I can't help thinking that if they did that outbound as well, it would do rather more good.

    A quick change in the law to make the bastards jointly liable with the sender for any damage caused by shit disseminated via their services ought to do the trick.

  15. Hans 1
    Boffin

    CV in an Office Document

    I keep my CV in OpenOffice and send PDF's, no need to send office documents, if they require Word documents, no need to apply, I don't want to work for idiots.

    The good thing about PDF is that is as vulnerable as Office with Macros ... how many PDF 0-days in 2016 ? Precisely. Most HR systems have not been patched for those discovered in 2012, let alone 2013 ...

  16. Anonymous Coward
    Anonymous Coward

    Personally I'm hoping this tactic jumps the gap to recruitment agencies

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like