September 19, 2008
• Work-at-home scams escalate
• Innocents seduced into money laundering
• Access to personal checking a red flag
• Link: http://garwarner.blogspot.com/2008/09/careerbuilder-latest-digital.html
BIRMINGHAM, Ala. - The UAB (University of Alabama at Birmingham) Spam Data Mine reports that CareerBuilder.com, a reputable job search and employment company, has joined the list of brands targeted by a criminal who is stealing login credentials to their site by claiming to have a new Digital Certificate said to protect customers. UAB's Spam Data Mine collects millions of e-mail messages used to provide investigators with spam intelligence and determine new attack methods.
Researchers at the UAB Spam Data Mine have received more than 400 copies of the spam in the past 24 hours. The CareerBuilder.com malware was especially interesting, said Gary Warner, Director of Research in Computer Forensics.
"We've seen a long list of banks abused by this malware promising better security with Digital Certificates, but this is the first employment company targeted for this criminal's scam," Warner said. "By stealing CareerBuilder credentials the criminals will be able to make more believable job offers, and will be able to know who is actively seeking a job. They already have login credentials for banking sites, but they need to recruit more ‘Money Mules,' which is what investigators call the victims who are tricked into sending the money out of the country.
Warner's investigations, which he describes in his blog, CyberCrime & Doing Time, http://garwarner.blogspot.com/, have revealed that the same criminals stealing these CareerBuilder accounts are attempting to convince desperate job seekers to work as financial assistants. In fact, these financial assistants receive a commission for receiving stolen funds into their personal bank accounts and then transferring the funds to the criminals via Western Union or Money Gram.
Warner calls that "a sign that money laundering may be part of their new job."
Warner and his team of researchers have been tracking this malware family since May. The current campaign also links to work-at-home scams being hosted on the same IP addresses as the CareerBuilder malware.