If you’re using Monster.com to search for a job, think twice before opening emails from the company. According to Symantec and SecureWorks, legitimate-looking Monster messages are infecting victims’ machines with a Trojan horse that steals bank account data. The Symantec Security Response blog notes that 1.6 million records have been stolen so far.
Here’s a snippet from that blog entry:
“Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Web site, Monster.com. It was also uploading data to a remote server. When we accessed this remote server, we found over 1.6 million entries with personal information belonging to several hundred thousand people. We were very surprised that this low profile Trojan could have attacked so many people, so we decided to investigate how the data could have been obtained.
“Interestingly, only connections to the hiring.monster.com and recruiter.monster.com subdomains were being made. These subdomains belong to the “Monster for employers” only site, the section used by recruiters and human resources personnel to search for potential candidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on candidates.
“Upon further investigation, the Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields. The Trojan sends HTTP commands to the Monster.com Web site to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches.
“The personal details of those candidates, such as name, surname, email address, country, home address, work/mobile/home phone numbers and resume ID, are then uploaded to a remote server under the control of the attackers.”
Symantec says it has notified Monster.com of the phishing attack so compromised recruiter accounts can be disabled. Meantime, users can protect themselves by limiting the contact information they post on these sites, using a separate disposable email address and never disclosing sensitive details like Social Security numbers, passport or driver’s license numbers, and bank account information, until the messages from prospective employers are found to be legitimate.
Update, Aug. 23 at 7:53 a.m.:
The Symantec Security Response blog has an update on the Monster.com attacks. It appears that the Trojan at the heart of the attack is taking the data it collects and using it to create more personalized spam offering recipients well-paying but illegal money laundering jobs.
“We’ve been able to acquire some email templates that the Trojan may use to send targeted spam to individuals, using stolen personal information,” writes Symantec researcher Vikram Thakur. “The templates acquired all point to the same position. The job is that of a ‘Transfer Manager’ at an investment company. The job description states that the position would entail facilitating financial transactions made by the clients of the investment company. The email looks very realistic and may convince many that it has been sent from Monster.com or Careerbuilder.com.”
The advice remains the same here. Don’t offer up your most personal data to strangers.