back to article Recruiters considered really harmful: Devs on GitHub hit with booby-trapped fake job emails

Recruiters are known to be a bit of a pain in the ASCII in the tech world – but how about these ones: bogus headhunters attempting to infect GitHub-using software developers. The miscreants have harvested email addresses for active GitHub accounts, and spammed the inboxes with booby-trapped job offers. These malicious messages …

  1. a_yank_lurker Silver badge


    I believe the default setting for MS Office is for macro execution to require permission/credentials to run since 2007. So either someone has changed the defaults to allow macros to run or have carelessly approved it to run.

    1. Anonymous Coward
      Anonymous Coward

      Re: Macros

      Never attribute to stupidity what can be properly attributed to Microsoft.

    2. phuzz Silver badge

      Re: Macros

      Viruses that rely on macros often have helpful instructions on how to turn macro execution back on (for example).

      I'm not sure how well that would work on the developers that this malware seems to be going after though.

  2. Neil Barnes Silver badge

    Not so much 'why's it still possible' as 'why was it ever...'

    I must be some sort of Luddite.

    After playing with computers for, what, forty years now, I *still* am unable to fathom why anyone, ever, thought it was a good idea to build software that allows this kind of thing. A word processor is for tangling/mangling words, not for downloading random software.

    Since Joe Public (and probably most Reg readers) lack the time, inclination, or ability to see what a macro is going to do once it's opened, they're going to click 'allow' anyway. It's not that Joe is stupid, it's that he doesn't expect what he gets: in his eyes, getting something like this from opening a document is on the same order of things as sticking bread in the toaster and getting a fried egg back. It's not something that should even be able to happen.

    1. VanguardG

      Re: Not so much 'why's it still possible' as 'why was it ever...'

      "Fortunately"...the surge in ransomware attacks has given many people a sharp poke to be wary of Word files, particularly, and Excel files to a lesser extent.

      Most developers (not *all*) are more savvy than your typical paper-shuffler, and will recognize legit offers will *not* come in an easily-edited form like a Word will come as a read-only PDF, so you can't bump the offered rate up a few points and then accept the more-agreeable offer.

      Macros just seem to me to be a bad idea from the outset...probably looked good on paper ("Your document can go out to the servers, or the Internet, and update the data in various cells so the results displayed are real time, not moment-in-time!"). And when it was dreamed up, the Internet wasn't really the omnipresent thing it is now. Credit to Microsoft for having the sense to disable it by default...but enabling it should be WAY harder than it is...or Microsoft should remove it entirely and make macro support an add-on.

    2. Shadow Systems Silver badge

      "Re: Not so much 'why's it still possible' as 'why was it ever...'

      "...sticking bread in the toaster and getting a fried egg back."

      Butbutbut! I've always cracked eggs into the toaster & gotten the magic smoke to escape, so why shouldn't I get eggs from my toast?

      *Crossed arms & comical hurrumph*

      Next you'll be telling me I'm not supposed to put puffer fish into the microwave so I get a nifty toy surprise in return!


      *Shakes a palsied fist*

      Let me keep those macros so I can eat my eggs!


      I'll get my coat, it's the one with the frog pills in the pockets...

  3. Anonymous Coward
    Anonymous Coward

    If you disconnect from the internet...

    * Before opening the doc, does the Macro / PowerShell payload run covertly in the background til reconnect, or does it fall over and fail?

    * Do PowerShell scripts run silently & invisibly?

    * Is it all done inproc in Word, if not what's the process name?

    1. diodesign (Written by Reg staff) Silver badge

      Re: If you disconnect from the internet...

      Your Qs can be answered by reading the linked-to blog post.

      1. You have to enable macros or run the macro. If you think this is a major hurdle, you haven't worked with people. The payload runs covertly out of sight. It waits (blocks) until the download is complete - google WebClient.DownloadFile().

      2. Yes.

      3. margin2601_onechat_word.exe


      1. Anonymous Coward
        Anonymous Coward

        'Your Qs can be answered by reading the linked-to blog post.'

        Cheers for the answers...

        1. Robert Carnegie Silver badge

          Re: 'Your Qs can be answered by reading the linked-to blog post.'

          I speculate you can expect at least the version number of the virus program to vary...

  4. spacecadet66

    Why are they pretending to be emails from recruiters?

    I mean, I would have thought they'd want people to actually open them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022