Cybercriminals use malware-laced CVs to steal banking credentials

(Image credit: Shutterstock)

Security researchers have discovered malicious files masquerading as CVs online that lure victims into giving up their banking passwords and other financial information.

According to Check Point, the malicious Microsoft Excel files were sent via email with subject lines such as “applying for a job” or “regarding job”. When victims open the attached files, they are asked to “enable content” and this allows for the ZLoader malware to be installed on their computers. This banking malware is designed to steal credentials and other private information from users of targeted financial institutions.

The malware also has the ability to steal any passwords and cookies stored in victim's web browsers. Using this stolen information, cybercriminals can then connect to the victim's system and make illicit financial transactions from the banking user's legitimate device.

Check Point researchers have recently seen an increase in CV-themed scams in the US. During the past two months, the number of malicious files in CVs doubled with 1 out of 450 malicious files identified related to a CV file as cybercriminals try to exploit layoffs and remuneration schemes during the pandemic.

Malicious medical leave forms

In addition to CVs containing malicious files, Check Point researchers also found an increase in malicious medical leave forms circulating online.

The documents, which use names such as “COVID -19 FLMA Center.doc”, infect victims with the IcedID banking malware that targets banks, payment card providers, mobile service providers and e-commerce sites.

The aim of this malware is to try and trick users into submitting their credentials on a fake page as well as their authorization details that can be used to compromise user accounts. These malicious files were sent via email with the subject line “The following is a new Employee Request Form for leave within the Family and Medical Leave Act (FMLA)”. To lure victims into opening these forms, cybercriminals sent them from different sender domains like “”.

Manager of data intelligence at Check Point, Omer Dembinsky provided further insight on the findings of the company's researchers, saying:

“As unemployment rises, cyber criminals are hard at work. They are using CVs to gain precious information, especially as it relates to money and banking. I strongly urge anyone opening an email with a CV attached to think twice. It very well could be something you regret.”

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.