News Stay informed about the latest enterprise technology news and product updates.

Phishing attack targets users

If you’re using to search for a job, think twice before opening emails from the company. According to Symantec and SecureWorks, legitimate-looking Monster messages are infecting victims’ machines with a Trojan horse that steals bank account data. The Symantec Security Response blog notes that 1.6 million records have been stolen so far.

Here’s a snippet from that blog entry:

“Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Web site, It was also uploading data to a remote server. When we accessed this remote server, we found over 1.6 million entries with personal information belonging to several hundred thousand people. We were very surprised that this low profile Trojan could have attacked so many people, so we decided to investigate how the data could have been obtained.

“Interestingly, only connections to the and subdomains were being made. These subdomains belong to the “Monster for employers” only site, the section used by recruiters and human resources personnel to search for potential candidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on candidates.

“Upon further investigation, the Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields. The Trojan sends HTTP commands to the Web site to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches.

“The personal details of those candidates, such as name, surname, email address, country, home address, work/mobile/home phone numbers and resume ID, are then uploaded to a remote server under the control of the attackers.”

Symantec says it has notified of the phishing attack so compromised recruiter accounts can be disabled. Meantime, users can protect themselves by limiting the contact information they post on these sites, using a separate disposable email address and never disclosing sensitive details like Social Security numbers, passport or driver’s license numbers, and bank account information, until the messages from prospective employers are found to be legitimate.

Update, Aug. 23 at 7:53 a.m.:

The Symantec Security Response blog has an update on the attacks. It appears that the Trojan at the heart of the attack is taking the data it collects and using it to create more personalized spam offering recipients well-paying but illegal money laundering jobs.

“We’ve been able to acquire some email templates that the Trojan may use to send targeted spam to individuals, using stolen personal information,” writes Symantec researcher Vikram Thakur. “The templates acquired all point to the same position. The job is that of a ‘Transfer Manager’ at an investment company. The job description states that the position would entail facilitating financial transactions made by the clients of the investment company. The email looks very realistic and may convince many that it has been sent from or”

The advice remains the same here. Don’t offer up your most personal data to strangers.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

[...] Early last week I wrote about some aggressive phishing attacks against users in which 1.6 million bank account records had been stolen. In an interview with Reuters, Monster Worldwide Chief Executive Sal Iannuzzi suggested the damage may be far worse. [...]
I just wanted to thank you for this update. While the laws behind security are still required to be drawn the outcome is always to late. How many more times must ths occur before we stop requiring this data to be populated in areas not required? If Wal-Mart requires my card number be stored in thier database why can't I buy something without it? It is not required data for them nor should it be for so many who simply need to track previous purchases. After 60 days this data should have to be removed. What software bundle actually finds this trojan? I have Norton at home never got anything until it went down?