"NATO vacancies" phishing email also leads to malware
Posted on 21.05.2013
An interesting and very comprehensive phishing and malware-delivery campaign has been spotted by Webroot researchers.


The attackers are posing as the chief of NATO's Human Resources Division, sending out an email that tells about a number of supposed job openings (with huge salaries) at the international organization, and urges recipients to apply.

Unfortunately, in order to do so they are instructed to fill out a fake NATO Employment Application Form and a fake Interview Form, which asks them to share extremely personal and very sensitive information such as name, address, telephone and cell phone number, email address, marital status, date of birth, information on their children (if they have any), education, other skills, employment history, and much, much more.

In fact, the whole scheme looks like a very thorough intelligence gathering operation.

"The Employment Application Form requires details on the Security Clearance, Level and Expiration Date of the prospective employee, as well as details on whether or not an application has any civilian or military relatives, currently working for NATO. Furthermore, potential applicants would also need to provide detailed information on their whereabouts abroad, such as country, reason for visiting and the exact dates," says Dancho Danchev. "Needless to say that someoneís looking for the very best in sensitive and personally identifiable information, from the socially engineered prospective employees."

And then, for the finishing blow, the applicants receive a positive response from "NATO", informing them that they are invited to "contact Director of training institute via email: (training@nspa-nato.int.tf or training@usnato-hr.org) For Registration and Training details."

According to Danchev, the above mentioned domains (usnato-hr.org and spa-nato.int.tf) are responding to the same IPs that a number of fake domains (meant to impersonate PayPal, the FBI, eBay, and others) are, and all are redirecting to sites hosting the Blackhole exploit kit and other client side exploits.

The users who contact the aforementioned email addresses are more than likely sent to the booby-trapped fake domains and end up with malware on their computers.

Danchev doesn't say whether the campaign is widespread or targeted, but I supposed that the fake job openings have a way of culling out unwanted applicants / targets, so you could say that it is targeted in a way, and this makes me very curious as to who's behind it.









Spotlight

How to keep your contactless payments secure

Posted on 19 September 2014.  |  Fraudsters can pickpocket a victimís financial data using low-cost electronics that can fit into a rucksack. Here are the top security threats you should be aware of if youíre using a RF-based card, along with our top safety tips to keep your payments secure.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //