Think Before You Click on That Great "Job Offer"

Think Before You Click on That Great "Job Offer"

If you receive a job offer purporting to come via Monster.com, think hard before you respond to it. Hackers using Ukraine-based servers and a Trojan Horse known as Infostealer.Monstres, stole names, addresses, phone numbers, email addresses and resume ID numbers belonging to over 1.6 million users (almost all in the US) of the popular job-hunting site. The server's been shut down, but as usual, the horse (in this case, a Trojan Horse), is already loose.

[Correction on 08-27-07: Because of duplications, the 1.6 million number referred to in the previous paragraph refers to records, not separate individuals (some of whom have more than one record at Monster.com). However, even when duplicates are considered, several hundred thousand job-seeking users have had their information compromised by this data theft- MS]

How They Got the Inside Track

The Infostealer.Monstres malware program stole login information used by legitimate job recruiters. Once the hackers could access the job recruiter section of the Monster.com website, grabbing the information they wanted was easy.

The Real Goal: Your Wallet (and Identity!)

If that was all the hackers were after, it would be a lot of effort for a paltry return. However, Symantec, which tipped off Monster.com that it was under attack, also discovered the real objective of the data theft: a classic identity-theft scheme with a couple of twists.

If you get an email purporting to be from a job recruiter via Monster.com, but asking for bank account information or similar financial data, don't reply to it: it's actually coming from the hackers who engineered the data theft. Give it up, and watch your money disappear.

But Wait! There's More (Pain, That Is)

Even if all you do is click links in the email, your problems are just beginning. According to a report in Computerworld, the fake emails contain links to two pieces of malware:

  • One steals bank account information (Symantec calls it Infostealer.banker.c).
  • The other (disguised as a program called 'Monster Job Seeker Tool') encrypts files until you pay a fee to unlock the files. Symantec refers to this ransomware program as TrojanGpcoder.e, but other antivirus programs are also on its trail. See the Panda Software blog entry for a closer look at how it works.

The Easy to Trust Wrapper Makes Them Harder to Stop

According to Symantec's writeups, these threats, by themselves, are not difficult to contain or remove. The problem is that they are concealed inside an official-looking email from a trusted source (in this case, Monster.com). If your system is not running up-to-date antivirus software and you click the link - you're in trouble.

A Few Without Adequate Security Threaten Millions - Again

Sadly, this latest breach of computer security shows the dark side of the interconnected nature of today's technology: a weak spot in some PC users' security (in this case, some recruiters using Monster.com) can be exploited to attack both those users and many, many others. As always, it pays to think before you click.

Also Known As

Infostealer.Banker.C is also known as Troj/Bancos-BBT [Sophos], Troj/Bancos-BCV [Sophos], Trojan-Downloader.Win32.Agent.bvz [Kaspersky]

Trojan.Gpcoder.E is also known as Virus.Win32.Gpcode.ai [Kaspersky], Win32/Kollah.AB [Computer Associates], Troj/GPCoder-G [Sophos], Sinowal.FY [Panda Software], PWS-JT [McAfee]

2

Comments

+ Add a Comment
avatar

blackzarg

Sounds silly to ask...but does this affect Mac users?

avatar

Marcus_Soperus

Mac users running MacOS are safe from the malware contained in the fake message, but a Mac user running Windows could be infected.

However, any computer user running any operating system should be concerned about the underlying message of this latest scam: now, it's personal. Because the hackers acquired the resume numbers of Monster.com users as well as names and email addresses, they can send out personalized fake messages, instead of the usual "Dear client" or "Dear Valued User" messages that are easily identified as fraudulent. A personalized message is a lot harder to tag as fraudulent.

In this example, the hackers targeted Windows and depended upon malware in the message to steal financial information. More often, though, fake websites are used to capture financial or ID information. Hackers who can acquire information similar to what was taken from Monster.com will have no problems crafting a personalized email invitation to 'update your records' - and some users, at least, are likely to fall for it.

Symantec Security Response has some examples of the email templates developed by the hackers who targeted Monster.com. See them at http://www.symantec.com/enterprise/security_response/weblog/2007/08/post_3.html

----------------------------------
It's amazing how illogical a business built on binary logic can be.

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.