Think Before You Click on That Great "Job Offer"

By Mark Soper — Fri, 24 Aug 2007 21:21:27 -0500

If you receive a job offer purporting to come via Monster.com, think hard before you respond to it. Hackers using Ukraine-based servers and a Trojan Horse known as Infostealer.Monstres, stole names, addresses, phone numbers, email addresses and resume ID numbers belonging to over 1.6 million users (almost all in the US) of the popular job-hunting site. The server's been shut down, but as usual, the horse (in this case, a Trojan Horse), is already loose.

[Correction on 08-27-07: Because of duplications, the 1.6 million number referred to in the previous paragraph refers to records, not separate individuals (some of whom have more than one record at Monster.com). However, even when duplicates are considered, several hundred thousand job-seeking users have had their information compromised by this data theft- MS]

How They Got the Inside Track

The Infostealer.Monstres malware program stole login information used by legitimate job recruiters. Once the hackers could access the job recruiter section of the Monster.com website, grabbing the information they wanted was easy.

The Real Goal: Your Wallet (and Identity!)

If that was all the hackers were after, it would be a lot of effort for a paltry return. However, Symantec, which tipped off Monster.com that it was under attack, also discovered the real objective of the data theft: a classic identity-theft scheme with a couple of twists.

If you get an email purporting to be from a job recruiter via Monster.com, but asking for bank account information or similar financial data, don't reply to it: it's actually coming from the hackers who engineered the data theft. Give it up, and watch your money disappear.

But Wait! There's More (Pain, That Is)

Even if all you do is click links in the email, your problems are just beginning. According to a report in Computerworld, the fake emails contain links to two pieces of malware:

One steals bank account information (Symantec calls it Infostealer.banker.c).
The other (disguised as a program called 'Monster Job Seeker Tool') encrypts files until you pay a fee to unlock the files. Symantec refers to this ransomware program as TrojanGpcoder.e, but other antivirus programs are also on its trail. See the Panda Software blog entry for a closer look at how it works.

The Easy to Trust Wrapper Makes Them Harder to Stop

According to Symantec's writeups, these threats, by themselves, are not difficult to contain or remove. The problem is that they are concealed inside an official-looking email from a trusted source (in this case, Monster.com). If your system is not running up-to-date antivirus software and you click the link - you're in trouble.

A Few Without Adequate Security Threaten Millions - Again

Sadly, this latest breach of computer security shows the dark side of the interconnected nature of today's technology: a weak spot in some PC users' security (in this case, some recruiters using Monster.com) can be exploited to attack both those users and many, many others. As always, it pays to think before you click.

Also Known As

Infostealer.Banker.C is also known as Troj/Bancos-BBT [Sophos], Troj/Bancos-BCV [Sophos], Trojan-Downloader.Win32.Agent.bvz [Kaspersky]

Trojan.Gpcoder.E is also known as Virus.Win32.Gpcode.ai [Kaspersky], Win32/Kollah.AB [Computer Associates], Troj/GPCoder-G [Sophos], Sinowal.FY [Panda Software], PWS-JT [McAfee]