If you’re using Monster.com to search for a job, think twice before opening emails from the company. According to Symantec and SecureWorks, legitimate-looking Monster messages are infecting victims’ machines with a Trojan horse that steals bank account data. The Symantec Security Response blog notes that 1.6 million records have been stolen so far.
Here’s a snippet from that blog entry:
“Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Web site, Monster.com. It was also uploading data to a remote server. When we accessed this remote server, we found over 1.6 million entries with personal information belonging to several hundred thousand people. We were very surprised that this low profile Trojan could have attacked so many people, so we decided to investigate how the data could have been obtained.
“Interestingly, only connections to the hiring.monster.com and recruiter.monster.com subdomains were being made. These subdomains belong to the “Monster for employers” only site, the section used by recruiters and human resources personnel to search for potential candidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on candidates.
“Upon further investigation, the Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields. The Trojan sends HTTP commands to the Monster.com Web site to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches.
“The personal details of those candidates, such as name, surname, email address, country, home address, work/mobile/home phone numbers and resume ID, are then uploaded to a remote server under the control of the attackers.”
Symantec says it has notified Monster.com of the phishing attack so compromised recruiter accounts can be disabled. Meantime, users can protect themselves by limiting the contact information they post on these sites, using a separate disposable email address and never disclosing sensitive details like Social Security numbers, passport or driver’s license numbers, and bank account information, until the messages from prospective employers are found to be legitimate.
