“NATO vacancies” phishing email also leads to malware

An interesting and very comprehensive phishing and malware-delivery campaign has been spotted by Webroot researchers.

The attackers are posing as the chief of NATO’s Human Resources Division, sending out an email that tells about a number of supposed job openings (with huge salaries) at the international organization, and urges recipients to apply.

Unfortunately, in order to do so they are instructed to fill out a fake NATO Employment Application Form and a fake Interview Form, which asks them to share extremely personal and very sensitive information such as name, address, telephone and cell phone number, email address, marital status, date of birth, information on their children (if they have any), education, other skills, employment history, and much, much more.

In fact, the whole scheme looks like a very thorough intelligence gathering operation.

“The Employment Application Form requires details on the Security Clearance, Level and Expiration Date of the prospective employee, as well as details on whether or not an application has any civilian or military relatives, currently working for NATO. Furthermore, potential applicants would also need to provide detailed information on their whereabouts abroad, such as country, reason for visiting and the exact dates,” says Dancho Danchev. “Needless to say that someone’s looking for the very best in sensitive and personally identifiable information, from the socially engineered prospective employees.”

And then, for the finishing blow, the applicants receive a positive response from “NATO”, informing them that they are invited to “contact Director of training institute via email: (training@nspa-nato.int.tf or training@usnato-hr.org) For Registration and Training details.”

According to Danchev, the above mentioned domains (usnato-hr.org and spa-nato.int.tf) are responding to the same IPs that a number of fake domains (meant to impersonate PayPal, the FBI, eBay, and others) are, and all are redirecting to sites hosting the Blackhole exploit kit and other client side exploits.

The users who contact the aforementioned email addresses are more than likely sent to the booby-trapped fake domains and end up with malware on their computers.

Danchev doesn’t say whether the campaign is widespread or targeted, but I supposed that the fake job openings have a way of culling out unwanted applicants / targets, so you could say that it is targeted in a way, and this makes me very curious as to who’s behind it.

Don't miss