Criminals Closing in on the Perfect Fake Resume Scam

Resume/CV scams have been around for a long time. In their primitive form, they operated like any other scattergun email attachment scam. They were randomly sent out to as many email addresses as possible with a simple subject line, a short message, and an attachment generally called ‘CV’ or ‘resume’.

By sheer luck, these phishing emails may have gotten into the inboxes of people who were actually looking for job applicants. When they did, the infected attachment had a better chance of being opened. Doing so would install some sort of malware on the victim’s computer. The good thing about this scam, at least from the perpetrator’s viewpoint, is that those victims interested in resumes are usually connected to some sort of network. They may be HR people in a company or organization, so, when the malware is put in place, the criminals could move into the network and take whatever it was they were interested in.

However, this more complex, information-gathering attack was not really what the first resume-based hackers were interested in. These criminals just wanted to get some quick money. They really only wanted to install malware that would enable them to get the victim’s banking information and take some or all of the money they had. But, others saw the value in penetrating corporate networks. They knew how valuable such information could be, and they understood the many ways it could be exploited.

Before discussing how this means of attack could be further weaponized, take a look at one of the current attacks that is making the rounds. It works like this.

xl attack

The accompanying spam email message is lacking in form and content, but here it is.


Yeah, the first indication that this is a bogus email is the blank space after “wonderful”. You may also wonder why a person in Canada would have a German-based email… but it could happen. However, there is a TA Appliance store in Kitchener and it does advertise job openings online.

Keep in mind that we are living in unusual times. Many people will be losing their jobs and, therefore, applying for new jobs. Recruiters will likely receive hundreds of applications for any advertised position and may just download the attached resumes to look at later. They may not even notice that the attachment is in the form of an .xls file. After all, it does have an appropriate name. Also notice that it is password protected, which, at least superficially, may give it an aura of authenticity. When they attempt to open the attachment, the victim will get this.


Entering the password brings up information on enabling macros.


If the victim follows the directions, the attack is launched. In the case of this attack, a banking Trojan (ZLoader) is put in place. In other, similar attacks, ransomware is deployed. The attackers may choose their type of attack depending on the size of the network they have infiltrated. They may make more money encrypting the files on a large network.

The weak point in these attacks is the enabling of macros. Most people realize they should not do this, but some may believe that the original file was simply protected in some way. The use of the .xls file and the addition of a password allowed the attachment to bypass some antivirus detection. Most malicious attachments deploy through .doc, .pdf, or .exe files. Antivirus programs are designed to check such attachment but not other file extensions.

Some fake resume attachments have been found posing as ISO files. These can be especially devious as an ISO file can contain .exe files that will install malware once the attempt is made to open the ISO attachment.

Recent fake resume scams have learned how to be persistent after being installed by writing entries to the registry. This will make the malware appear after every reboot. So it seems like most of the technical attributes of the resume scam seem to be in place. Only the social engineering component needs work.

If these attackers really want to penetrate a particular corporate or institutional network, they will need to find a job opening being advertised by the targeted enterprise. They will then need to write a relevant cover letter for the position. The attachment icon needs an appropriate name. The cover letter could explain why the resume was password protected and even give a rationale for enabling macros. My guess is that a hacker using such a strategy would have a better than average chance of having this resume opened.

In fact, a legitimate resume could be used to hide malware. LinkedIn has numerous resumes to choose from. They could also use the site to find job announcements, but a targeted company may already have job openings listed on their company site. It is rather common for attackers to target HR departments with fake resumes, but not so common for specific jobs to be targeted. That would be the real key to a successful attack.

In short, hackers are on the verge of developing the near perfect fake resume scam. HR departments need to be more vigilant than ever as these scams can only be stopped by mistrusting the attachments, and these attachments are getting better and better at hiding the malware that may be associated with them. In other words, the future does not look good for HR departments and organizations in general. I expect to see a significant increase in ransomware attacks as criminals begin to realize that this is where the real money is and their techniques improve. And don’t forget. In the time of COVID-19, a lot of people will be looking for work. Resumes will be everywhere.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s