Hackers Are Targeting Employers Looking To Hire

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/josephsteinberg/2015/05/11/hackers-are-targeting-employers-looking-to-hire-here-is-what-you-need-to-know/

Businesses that are looking to hire employees make great targets for
hackers, so, whether you are an entrepreneur running a small business, the
HR director of a large multi-national firm, or someone looking for a job,
you should be aware of the following:

The hiring process is inherently risky. Businesses need to expend time and
money searching for appropriate, qualified candidates – sometimes under
pressure to fill a particular position or set of positions before some
deadline. In most cases, the process of recruiting also necessitates that a
business carry out electronic communications – often primarily by email –
with parties with which it has never corresponded before. Hiring managers
may be forced to open email attachments from untrusted parties sending in
resumes, or, if they refuse to take such risks, may end up overlooking
great applicants.

As one would expect, these factors combine to open the door for
cyberattacks. In the case of small businesses the problem is exacerbated by
the fact that organizational budgets often preclude having an
information-security team involved in the design of the recruiting process
and its associated technology. Hackers know about this weakness – and seek
to exploit it.

So, here are several pieces of advice to help keep you safe when you are
recruiting. If you are looking for a job, understanding these points may
also help you ensure that the firm to which you are applying actually
receives and reviews your CV:

1. Whenever possible avoid having resumes sent to you as Word documents.
There are a plethora of attacks that can be carried out via materials
embedded in Word documents, and, while regular patching, malware scanning,
and maintaining strict security settings can address the majority of them,
why take chances when you don’t have to? There are other formats that are
less risky: While text included in the body of an email message is ideal,
for various technical reasons, PDFs are also likely a better alternative
than Word documents. Depending on the nature of the open position that you
are seeking to fill, you may not even require that candidates submit
resumes: links to aLinkedIn LNKD +0.77% profile or the like may suffice. On
that note, however:

2. Do not click links to social media profiles that candidates send you via
email or text; it is simple for a hacker to send you an email applying for
a job with a link that is mislabeled (e.g., it displays in the email as “
http://www.linkedin.com/in/SomeName” but really links tohttp://
www.RogueSite.com) or that varies slightly from the name of a real social
media site (e.g., something of the form ofhttp://
www.linnkedin.com/in/JosephSteinberg or the like), and which points to a
rogue site that delivers malware to your system. If you want candidates to
be able to direct you to their social media profiles either:

Have them spell out the full link and manually enter it into your browser.
In my case, you’d want me to write
https://www.linkedin.com/in/josephsteinberg not create a link that says
“Here is a link to my LinkedIn Profile.”
Ask them for their handles, rather than links, when appropriate. For me
that would mean @JosephSteinberg for my Twitter TWTR -0.74% account, rather
thanhttps://www.twitter.com/josephsteinberg. Manually enter the handle in
the social media platform search bar. Do not click links.

3. Some have suggested that people utilize social media profile link
consolidators (e.g., about.me, etc.) to provide potential employers with
complete lists to all of their social media profiles. While I do use such a
service, I’m not convinced that it is a good idea for organizations to rely
on the use of such sites on their own to address the security risks of
links to social media profiles, so, if you do receive such a link:

- Do not click the link – instead enter it manually.
- If the link is to some site that you don’t recognize as a social media
index site – maybe ask the sender to send you direct links and forgo the
consolidator site altogether.
- Beware the links on the site – you really should not click them; enter
them manually as well. On some sites it is possible for hackers to create a
profile containing links to rogue sites.

Because of this, I prefer to ask a previously unknown to me job applicant
to send as text via email the list of any social media profiles that he or
she wishes to share with me.

4. Do not treat communications from a job website as secure. As is the case
with most verticals, there have been multiple security problems found on
job hunting and placement sites; most recently the CareerBuilder.com
website was found to have been sending “resumes” containing sophisticated
malware to companies posting open jobs. The attack is believed to have been
carried out by hackers who literally “applied “for jobs posted on the
website and uploaded “poisoned” CVs to be sent by CareerBuilder to the
companies posting the positions. Other job recruiting websites have also
been found to be vulnerable to various attacks, so always proceed with
caution. If something seems off, it might be.

5. If you create some proprietary system that allows people to apply for
jobs via your website, and want them to submit resumes, consider having
them submit text in a text box, rather than attaching a file that may turn
out to be infected. Of course use good secure coding practices to ensure
that the site itself does not become a gateway for crooks into your
organization. It is true that text does not show a candidate’s style as
well as a formatted document – but, if the person does end up coming in for
an interview, or if you speak with him or her by phone, you can always ask
him or her to bring/send you a formatted version. By that point, you’ll
have a much better idea about the person’s identity and trust level.

6. While some have suggested that an ideal way to address these risks is by
asking candidates to fax or mail their resumes, rather than submit them via
email, from a practical standpoint such approaches are severely outdated,
and can both complicate the recruiting process and scare away excellent
candidates. It should be noted that asking candidates to fax their resumes
to a fax-to-email service does not eliminate the security risks either, as
there are plenty of criminals sending malware that impersonates fax-bearing
emails from such services.

Of course, risk levels may also be reduced by using a recruiting agency
(e.g., a headhunting firm) – many of which edit resumes before sending – or
if you are dealing strictly with candidates whom you know. But even in
these cases, of course, all emails should be subject to virus scans.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!