Quick Links
Malware distributors can be pretty heartless. They usually target people when they’re most vulnerable to ensure their payloads do the maximum damage. From laying digital siege to a hospital’s computer infrastructure to scamming people who have lost a pet, they know how to hit where it hurts.
Unfortunately, those desperate for a new job are not exempt, as malware developers have found a way to exploit this stressful time to spread their wares.
What Is the Warmcookie Malware?
Warmcookie finds its way onto PCs after a victim is infected with a malicious app. The app downloads a Warmcookie DLL that creates a process in Windows that triggers every 10 minutes. Once it’s on someone’s PC, it sends information back to its host.
Warmcookie, by itself, is pretty standard fare when it comes tospyware. What makes it particularly nefarious is how it gets on your computer in the first place.
When a malware developer wants to get its payload onto someone’s computer, it usually acts upon that person’s emotions. Even the most rational person will lose their inhibitions once they’re tied up with emotion, and thereare personality traits that make certain people easier to scam. Once logic is out of the window, malware distributors can get people to do what they would otherwise never dream of doing.
In this case, the malware developer is acting upon the emotional rollercoaster of job hunting. They prey on people who are likely desperate to land a job by giving them a fake job offer. This rush of excitement and nerves hinders the target’s judgment and makes them click on whatever the malware distributor wants.
In a report by security research firmElastic, Warmcookie spreads via an email telling the victim they’ve just been offered a job. In some cases, the malware distributor can harvest the target’s name and job title to make their email look very authentic. The email states that all the victim has to do is fill in a CAPTCHA to prove they’re a human, and they can gain access to the job offer.
Once the job seeker enters the CAPTCHA, the client downloads a Javascript file that contains Warmcookie. From there, the malware can get to work.
What Does Warmcookie Do After Infecting a Computer?
As spyware, Warmcookie can keep tabs on what’s on a victim’s computer and send it back to the malware distributor. Some of its scarier attacks involve taking screenshots of your desktop using Windows' built-in tools and sending the photos to the attacker. Elastic did some tests with a control machine and managed to catch it sending images to an external server; the image above is one of these screenshots.
It can also harvest information about the computer it’s on by running Windows commands in the background and sending the information back to the host server. If asked to, it can install apps and services on the target computer without the victim’s knowledge.
How to Spot a Potential Fake Job Advert
If you receive an unsolicited email claiming to be from your employer, treat it with a grain of salt. People don’t usually offer jobs out of the blue, but the email may try to make you panic and click on it, such as a countdown. If in doubt, ask your manager or HR about the email to see if it’s legitimate. Who knows? You may bring to light a social engineering ploy targeting the company where you work.
If you’re applying for jobs, job boards are a good way to find work. However, you need to double-check the companies you’re applying to before you send off your resumé. Ensure they fit the bill, look professional, and have been around for a good while. It’s a good idea to do this anyway to ensure you’re a good fit for the job, so it’s a good way to test the legitimacy of the job poster at the same time. Check outhow to identify and avoid job posting scamsfor more information.
Malicious job postings can be cruel, as they’re deliberately capitalizing on people who are in an emotionally vulnerable spot. As such, the next time you’re on a job hunt or get a job offer in your inbox, be sure to treat it with caution before jumping in; it could contain something unexpected.
