Monster Trojan monsters job seekers' records | The Register

Monster Trojan monsters job seekers' records
Mommy, there's a horse under my bed
By Austin Modine in Mountain View → More by this author

Published Tuesday 21st August 2007 02:33 GMT



Monster.com suffered a major data breach at the weekend, with a Trojan horse stealing more than 1.6 million records from the job search site's database.

Symantec's Security Response blog reports the Trojan, called Infostealer.Monstres, can steal sensitive information from Monster.com by using employer accounts which have presumably been compromised by an attacker.

"Such a large database of highly personal information is a spammer's dream," Symantec security analyst Amado Hidalgo wrote in the blog.

Using the stolen account, the Trojan logs into Monster.com job recruiter website and searches for all available resumes, potentially lifting the name, email address, home address and phone numbers of its victims. The program then attempts to post the stolen information on a remote server controlled by the attacker.

From Symantec's blog:

The Trojan sends HTTP commands to the Monster.com Website to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter's saved searches.

The security firm reports the attackers have stolen over 1.6 million entries on the site, with personal information belonging to several hundred thousand individuals, mostly based in the US.

The main file used by the Trojan is ntos.exe, an executable also commonly used by Trojan.Gpcoder.E, a similar piece of malware. The Trojans share the Monster.com logo for the executable icon - leading Symantec to speculate the same group is behind both.

Adding to the mess, Trojan.Gpcoder.E has reportedly been sent in Monster.com phishing emails. The emails use the personal information to fool users into downloading a Monster Job Seeker Tool, which is in reality, Trojan.Gpscoder.E.

This nasty executable encrypts files in the affected computer — and leaves a text file demanding the victim pay the attackers in order to recover the data.

Unfortunately, even a massive data security breach such as this one has become commonplace in recent years. Security watchgroup Privacy Rights Clearinghouse lists 18 data breaches in the US this month alone - not counting Monster.com. According to the organization, 159 million records containing sensitive personal information have been compromised in the US by security breaches since 2005.

Symantec has told Monster.com of the compromised recruiter accounts so they can be disabled. In the meantime, Symantec advises users not to publish personal information on the site - particularly Social Security numbers. Users should use a separate disposable email address and avoid giving sensitive details until the prospective employer has been established as legitimate.

The firm also recommends users to observe basic security practices, such as keeping your computer up-to-date; configuring your email to block attachments commonly used to spread viruses such as .vbs, .bat, .exe, .pif and .scr files; and of course, never execute software that doesn't come at your request, or hasn't been scanned for viruses first. ®

Damn......what a messed.....

__________________

The Trojan responsible for stealing more than 1.6 million personal records from Monster.com uses that information to build targeted spam that offers recipients lucrative, but illegal, money laundering jobs, said Symantec Corp. Wednesday, August 22. Monster.com, meanwhile, said Wednesday it had shut down the server used to store the stolen resume information. Earlier this week, Symantec fingered Infostealer.Monstres for using stolen Monster.com log−ons to run automated searches. Criminals then used the stolen information to create convincing e−mail messages that contained malicious code. Some of those messages included Banker.c, a password−stealing Trojan horse that monitored the infected PC for log−ons to online banking accounts. But Monstres is also equipped to recruit criminal collaborators. "What we offer you is something more than just a job −− it's the opportunity to earn really big money without having to work much," read one of the messages. Among the job requirements, said the messages, were a new checking account with Bank of America. Although the job offer didn't spell it out in so many words, it's clear that the work involves cleaning out accounts of phishing victims, possibly the very ones hit by the Banker.c Trojan.

Source: Monster.com Trojan recruits 'money mules' from victim pool

__________________

The Monster.com mess

Quote:

The last thing you need when you're unemployed is a bank account that's suddenly emptied. But that's exactly what some unwary users of employment search site Monster.com faced after identity thieves made off with the personal information of more than a million people looking for jobs. How did so many job searchers victim to identity thieves? Here’s what happened and what it all means

The last thing you need when you're unemployed is a bank account that's suddenly emptied. But that's exactly what some unwary users of employment search site Monster.com faced after identity thieves made off with the personal information of more than a million people looking for jobs.

This still-developing story has enough nooks and crannies to confuse a gumshoe, but some facts are clear: Monster's resume database was looted, and the personal information taken was used to forge convincing messages that deposited password-stealing Trojans and ransomware on users' PCs.

Calculated and ambitious, the attack is striking for how it blended several elements -- stolen credentials of legitimate users, phishing e-mails, Trojan horses, money mules and more -- into a slick assault. Here's what we know so far.

Was Monster.com hacked? No, as Symantec said immediately. Instead, the attackers accessed the resume database with legitimate usernames and passwords, probably stolen from professional recruiters and human resource personnel who use the "Monster for employers" section of the site to look for job candidates. But it wasn't until Thursday that Monster.com admitted as much. "By gaining unauthorized access to employer accounts, the software was obtaining job seeker contact information," a new alert said.

What was snatched from the database? Names, e-mail addresses, mailing addresses, phone numbers and resume IDs, said Symantec. Yesterday, Monster.com added that only about 5,000 of the people whose data was filched live outside the U.S. That squares with what Symantec's Amado Hidalgo said in an e-mail: The information-stealing Trojan was hard-coded to dig through only the "hiring.monster.com" and "recruiter.monster.com" domains, limiting their theft to the Monster USA site's database. "They only targeted the U.S. Monster site and not any other international Monster [Worldwide] Inc. sites, such as those in the U.K., Spain, etc.," said Hidalgo.

How was the information stolen? The Infostealer.Monstres Trojan runs batch searches by sending HTTP commands to the Monster Web site to navigate through folders, said Hidalgo. The malware then parses the output that appears in a pop-up window that holds the job seeker profiles that match the search criteria. Essentially, the Trojan worked as an automated search bot that located candidates, captured their contact information and sent it to a remote server controlled by the criminals. Symantec said that the server, though located in Russia, was hosted by a company out of Ukraine.

By using Infostealer.Monstres to do their harvesting, the attackers also covered their tracks -- the Trojan could be planted on any computer previously compromised, with the search seemingly originating with that computer's owner -- and could easily spread the work out among a number of IP addresses, probably to slip under any Monster radar potentially watching for unusually large numbers of search requests coming from any one location. (There is no evidence at the moment that Monster deploys such radar.)
Computerworld is an InfoWorld affiliate.


More...

The malware authors behind the Prg Trojan appear to be soliciting their identity theft victims to become 'money mules,' moving stolen money from bank accounts to the hackers' own coffers.

Vikram Thakur, a researcher with Symantec's Security Response team, reported in a blog post that they have discovered templates of e-mails that the Trojan authors are sending out, using their newly acquired collection of stolen identities to target their money mule scam at people looking for jobs.

"The templates all point to the same position," wrote Thakur. "The job is that of a 'Transfer Manager' at an investment company. The job description states that the position would entail facilitating financial transactions made by the clients of the investment company. The e-mail looks very realistic and may convince many that it has been sent from Monster.com or Careerbuilder.com."

While the e-mail says the job doesn't require any experience and offers a $500 sign-on bonus and the ability to work from home, it also notes that it does require people to have an account with Bank of America for wire transactions.

Gunter Ollmann, director of security strategy at IBM's Internet Security Systems, explained that cybercriminals, like hackers and phishers, have been using mules for several years, setting them up to move money out of a compromised bank account and then to transfer it -- possibly even wire it -- to the hacker's overseas account.

"The average life of a mule appears to be fairly short," added Gunter. "People have no idea what a mule actually is so they don't realize they're participating in a money laundering scam. They're being promised that they can work for an hour or two a day and earn thousands a month. They only have to live in the U.S., use this bank, and work from home a few hours a day."

In this particular case, the authors of the Prg Trojan are using the plethora of identities that they've stolen in the last several months to find of potential mules.

In the last few weeks, researchers from SecureWorks found 12 caches with about 100,000 stolen identities -- all stolen via fraudulent ads on Monster.com. And researchers at Symantec found another massive cache -- this one contained about 1.6 million pieces of stolen data, such as names, addresses, mobile phone numbers, and name of employers. The number correlates to data pieces, not 1.6 million victims.

It's still unclear how many stolen identities -- how many victims of identity theft -- the information in that cache represents, according to Dave Cole, director of Symantec's Security Response team.

On Wednesday, Monster Worldwide, parent company of Monster.com, released an advisory saying that it is investigating the impact the Trojan has had on its database.

"Monster has identified and shut down a rogue server that was accessing seeker contact information through unauthorized use of compromised legitimate employer-client log-in credentials," said the advisory. "The information contained on this server was limited to names, addresses, phone numbers, and e-mail addresses. The company is currently analyzing the number of job seeker contacts impacted by this action and will be communicating with those affected as appropriate."

__________________