Even If You Expect An Email Attachment, It’s Not Always Safe

The FBI recently issued a warning about malware included in email attachments responding to online job postings. They quote the case of a US business that lost more than $150,000 after an employee opened an attachment that had been sent in response to a job posting. Malware embedded in the attachment, a variant of the ZeuS/Zbot Trojan, then allowed the attacker to obtain the credentials of the person who was authorized to conduct online banking financial transactions within the company.

Simon Herring of Ubersecure writes:

The targets of these attacks are companies that have recently posted on job search sites. So what’s the connection? If you’ve posted a job opening, then it’s only logical that someone at the targeted business is expecting a resume or curriculum vitae (CV). They are, after all, trying to fill a vacant position. This means an email with an attached resume isn’t really “unsolicited email”, making it more likely to be opened by the recipient.

Over the past year or so, more and more attention has been placed on malware installation through social networks, shortened URLs, and other vectors. But email attachments continue to be a threat. So, it’s probably time to remind your staff that

  1. malware is still being passed around in email attachments;
  2. email scanners don’t always detect malware; and
  3. email attachments you might not consider to be ‘unsolicited’ might still be infected.


Jessica Holland

Add comment

Like this post? Subscribe to receive updates directly in your inbox.