NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0284 Operation Targets Hundreds of Thousands of 'Monster.com' Users:
A 19 August press report indicated that the 46,000 people specified in reporting as being infected by ads on job sites look to be only a fraction of the victims of an ambitious, multistage operation that has stolen data belonging to several hundred thousand people who posted resumes on Monster.com. According to Symantec security analyst Amado Hidalgo, a new Trojan horse program called Infostealer.Monstres by Symantec has stolen more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc.'s job search service. That data has been used to target the Monster.com users with credible phishing mail that plants more malware on their machines. The personal information stolen from Monster.com includes names, email addresses, home address, phone numbers, and resume identification numbers, said Hidalgo, who traced the data to a remote server used by the attackers to store the stolen information.
"We are investigating the reports related to this Trojan and will take any necessary steps indicated by that investigation," Monster.com spokesman Steve Sylven said on 19AUG in an email cited in the press.
Infostealer.Monstres operated against Monster.com by using legitimate log-ins, likely stolen from recruiters and human resource personnel who have access to the "Monster for Employers" areas of the site. ONce inside, the Trojan horse ran automated searches for resumes of candidates located in certain countries or working in certain fields. The results were then uploaded to the attackers' remote server.
"Such a large database of highly personal information is a spammer's dream," said Hidalgo. "The attackers first gather email addresses and other personal information from resumes posted to Monster.com with Infostealer.Monstres," Hidalgo said. "Next, they will try to infect the computers of those candidates by sending targeted Monster.com phishing mails which install [Banker.c or Gpcoder.e]."
The first piece of malware, dubbed Banker.c by Symantec, is a run-of-the-mill information- stealing Trojan horse that monitors the infected PC for log-ons to online banking accounts. When it sniffs a log-on in process, Banker.c records the username and password, then transmits the data back to the operation's dead drops.
Gpcoder.e is "ransomware," the name given to Trojan horses that encrypt files on the hacked computer, then hold those files hostage until the user pays a fee to unlock the data.
Infostealer.Monstres' built-in mailing code and template lets it send messages posing as missives from Monster.com straight to the job-site users it finds in its automated searches. Infostealer.Monstres' second-stage attack, which uses Gpcoder, is especially insidious. Realistic-looking emails that contain convincing personal information - the very information stolen from Monster.com - instruct the recipient to download a program called "Monster Job Seeker Tool." There is no tool, of course; victims download the ransomware Gpcoder.e instead.
Monster.com's Sylven defended the service's automated searches and said that although the company monitors database activity, stolen credentials have been used in the past to access the system. Moreover, he said, it is difficult to tell a valid automated search generated by a real person from one generated by software. "Many of our larger customers rely heavily on our database, and their use may be similar to programmatic or scripted access," said Sylven.
(ComputerWorld, 19AUG07)
Last Modified: Saturday, 08-Sep-2007 07:28:41 EDT