By Richard Koman / Top Tech News. Updated August 22, 2007.
Hackers have stolen the personal information of several hundred thousand users of the Monster.com career Web site, a Symantec researcher has discovered. The thieves used a Trojan, called Infostealer.Monstres, to obtain information from approximately 1.6 million resumes uploaded to the site by jobseekers.
"The Trojan appears to be using the (probably stolen) credentials of a number of recruiters to log in to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields," Symantec security analyst Amado Hidalgo wrote in an alert. According to Hidalgo, the Trojan parses the information in the search results and uploads the personal details to a remote server. Compromised information includes name, surname, e-mail address, country, home address, phone numbers, and resume ID.
Hidalgo said the data cache is a "spammer's dream" and that the virus can be used to send spam using a downloadable e-mail template. The new Trojan is very similar to an earlier virus, Trojan.Gpcoder.E, "which may indicate the same hacker group is behind both Trojans," Hidalgo said. Both viruses spread by sending phishing e-mail purporting to come from Monster.com. For instance, Gpcoder sent e-mail requesting that the recipient download a new job search tool, which was in fact a copy of the Trojan.
The Dark Side of Networking
The attack on Monster is just one of several incidents that show that networking sites are fertile ground for spammers, hackers, and other criminals. Last week, security firm Sophos reported that a large number of Facebook users were willing to expose their personal information to strangers. The firm created a Facebook profile for a small plastic frog and invited 200 people to be friends. Eighty-seven users took the frog up on the offer and most of those revealed date of birth, home address, e-mail addresses, and school and work information.
A user's Facebook profile "provides many of the essential elements needed to gain access to people's personal accounts," Sophos researcher Ron O'Brien said. It also provides plenty of information for hackers to design targeted malware and phishing e-mails, he said.
These developments are proof "you still need to be vigilant about how much data you put up there," said Andrew Storms, a security analyst at nCircle. "In the larger sense, this will be an ongoing problem until people realize the data you put in is not totally trusted to never leave that installation."
The Dangers of Spear Phishing
In the Monster.com exploit, he said, the hackers appear to have used a phishing e-mail to obtain the logins of several employers. Those user logins installed a Trojan that spidered Monster.com and sent the data off to a remote server. The stolen data was then used to do "spear phishing" -- highly targeted phishing attacks that contain personal information -- to get more people to run the Trojan and infect more users.
"We are investigating the reports related to this Trojan and will take any necessary steps indicated by that investigation," Monster.com spokesperson Steve Sylven said Sunday.
Storms speculated that, going forward, Monster.com would implement some scheme by which unique identifying information is included in outbound e-mails. Typically, users can click on a link that will positively verify that the e-mail is genuine, Storms said.
Because resumes don't typically include Social Security or driver license numbers, Monter.com users probably don't have to worry about their financial accounts, Storms said. They should be more worried about who has their e-mail address, phone number, and home address.
"If you have concerns, you should trust your concerns," he said. "Don't put all your personal information out there." Concerned users should contact Monster.com, he said, and ask whether their information was compromised and whether the company plans to provide help.