Recruitment Site Monstered by Trojan
Recruitment Site Monstered by Trojan
August 23, 2007: Security researchers have discovered what is possibly the largest repository of stolen personal information to date, with 1.6 million entries on over 100,000 Monster.com users found on a server being used by a new Trojan.
According to Symantec security analyst Amado Hidalgo, the Trojan, dubbed Infostealer.Monstres, was detected accessing the Monster.com recruitment site and simultaneously uploading pilfered data to a remote server.
Hidalgo claims that the malware uses the hiring.monster.com and recruiter.moster.com subdomains to connect to the restricted “Monster for Employers” section of the website. Once there it uses stolen recruiter credentials and “sends HTTP commands to the Monster.com Web site to navigate to the Managed Folders section,” according to a post made by Hidalgo on Symantec’s security blog. “It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches.”
Job candidate details such as full names, email addresses, country, home address, work/mobile/home phone numbers and resume ID were lifted from the site, a valuable score for the cyber criminals behind the breach.
“Such a large database of highly personal information is a spammer's dream,” writes Hidalgo on the Symantec blog. “In fact, we found the Trojan can be instructed to send spam email using a mail template downloadable from the command & control server.”
And if the latest wave of job-related spam over the last few days is anything to go by, the breach has proved to be quite a coup for the spammers behind the scam.
Unfortunately, the problems do not stop there as the breach goes beyond just data theft.
“Adding to the mess, Trojan.Gpcoder.E has reportedly been sent in Monster.com phishing emails. The emails use the personal information to fool users into downloading a Monster Job Seeker Tool, which is in reality, Trojan.Gpscoder.E,” adds Hidalgo.
“These emails were very realistic, containing personal information of the victims. They requested that the recipient download a Monster Job Seeker Tool, which in fact was a copy of Trojan.Gpcoder.E. This Trojan will encrypt files in the affected computer and leaves a text file requesting money to be paid to the attackers in order to decrypt the files.”
Symantec has already informed Monster.com of the compromised accounts, however, it advises that users protect their identities by limiting the contact information posted on recruitment sites, using a separate, disposable email address and never disclosing sensitive details such Social Security numbers, passport or driver’s license numbers or bank account information until employers are confirmed to be legitimate.
Comment on this story