Think Before You Click on That Great "Job Offer"

By Mark Soper — Fri, 24 Aug 2007 21:21:27 -0500

If you receive a job offer purporting to come via Monster.com, think hard before you respond to it. Hackers using Ukraine-based servers and a Trojan Horse known as Infostealer.Monstres, stole names, addresses, phone numbers, email addresses and resume ID numbers belonging to over 1.6 million users (almost all in the US) of the popular job-hunting site. The server's been shut down, but as usual, the horse (in this case, a Trojan Horse), is already loose.

[Correction on 08-27-07: Because of duplications, the 1.6 million number referred to in the previous paragraph refers to records, not separate individuals (some of whom have more than one record at Monster.com). However, even when duplicates are considered, several hundred thousand job-seeking users have had their information compromised by this data theft- MS]

How They Got the Inside Track

The Infostealer.Monstres malware program stole login information used by legitimate job recruiters. Once the hackers could access the job recruiter section of the Monster.com website, grabbing the information they wanted was easy.

The Real Goal: Your Wallet (and Identity!)

If that was all the hackers were after, it would be a lot of effort for a paltry return. However, Symantec, which tipped off Monster.com that it was under attack, also discovered the real objective of the data theft: a classic identity-theft scheme with a couple of twists.

If you get an email purporting to be from a job recruiter via Monster.com, but asking for bank account information or similar financial data, don't reply to it: it's actually coming from the hackers who engineered the data theft. Give it up, and watch your money disappear.

But Wait! There's More (Pain, That Is)

Even if all you do is click links in the email, your problems are just beginning. According to a report in Computerworld, the fake emails contain links to two pieces of malware:

One steals bank account information (Symantec calls it Infostealer.banker.c).
The other (disguised as a program called 'Monster Job Seeker Tool') encrypts files until you pay a fee to unlock the files. Symantec refers to this ransomware program as TrojanGpcoder.e, but other antivirus programs are also on its trail. See the Panda Software blog entry for a closer look at how it works.

The Easy to Trust Wrapper Makes Them Harder to Stop

According to Symantec's writeups, these threats, by themselves, are not difficult to contain or remove. The problem is that they are concealed inside an official-looking email from a trusted source (in this case, Monster.com). If your system is not running up-to-date antivirus software and you click the link - you're in trouble.

A Few Without Adequate Security Threaten Millions - Again

Sadly, this latest breach of computer security shows the dark side of the interconnected nature of today's technology: a weak spot in some PC users' security (in this case, some recruiters using Monster.com) can be exploited to attack both those users and many, many others. As always, it pays to think before you click.

Also Known As

Infostealer.Banker.C is also known as Troj/Bancos-BBT [Sophos], Troj/Bancos-BCV [Sophos], Trojan-Downloader.Win32.Agent.bvz [Kaspersky]

Trojan.Gpcoder.E is also known as Virus.Win32.Gpcode.ai [Kaspersky], Win32/Kollah.AB [Computer Associates], Troj/GPCoder-G [Sophos], Sinowal.FY [Panda Software], PWS-JT [McAfee]

Introducing Extortion-Ware

Maximum PC — Wed, 18 Oct 2006 18:28:36 -0500

I’m not sure how many unsuspecting people have run into this “wonderful” software, but I did while trying to stop annoying adware problems on my friend’s PC. He would randomly get a pop-up stating: “Your free trial of Popcorn.net is over, click here to purchase.” So, in an attempt to help out, the first thing I did was go to Add/Remove Programs in the Control Panel, and lo and behold, I couldn’t remove the app.

I did a little research on this program, which supposedly lets you watch movies online, and here’s where it gets interesting: I found that the EULA says you consent to the program updating itself automatically and that the company may demand money from you to remove the app because you consented to it being installed. Furthermore, the program says you pretty much have to pay the company if you don’t cancel the “trial subscription” within the time period it sets. You can find info about how to remove the program from this website: www.schrockinnovations.com/removepopcorn.php. Is this even legal?
— Keith Gajeski

You’ve run into a new flavor of malware that’s been labeled “extortionware,” or “strongarmware.” In the case of Popcorn.net, aka Movieland.com, the company claims that the app is installed only after you’ve read a long EULA and clicked OK to install it, but there are numerous allegations on the Internet that the app is installed via surreptitious drive-by web-browsing methods. Whichever way it gets installed, the outcome is the same when the trial period expires: pop-ups galore that demand you pay $29.95 to remove them. Illegal? No way, the company claims; you agreed to a contract when you installed the software. When consumers contacted Movieland.com to complain, they were told: “It is impossible for this software to exist on your system without a user actively following a four-step installation process.”

But what if someone else installed it on your machine? The company says: “We understand that multiple users may access a single computer. However, the machine’s owner is solely responsible for regulating access to the computer. As such, it’s your responsibility to satisfy the contract entered into by way of your machine and your IP address. Failure to satisfy your payment obligation may result in an escalation of collection proceedings that could have an adverse effect on your credit status.”

Employing methods akin to a Sony rootkit or malware, the application makes it nearly impossible for users to uninstall it, and most users were unable to prevent the app from generating full-screen pop-ups. “Customer support” refers consumers to a 900 number that charges $34.95 an hour. And even folks who fix the pop-up problem might still have the software resident on their machine. It all sounds pretty fishy to the Dog. And to the authorities too, apparently. The Federal Trade Commission and the Washington state Attorney General have sued Popcorn.net, Movieland.com, Digital Enterprises, and a dozen other names the company operates under for allegedly violating the FTC Act, which governs trade practices.

The FTC’s suit says many consumers did not consent to having the pop-ups and that a PC’s owner is not obligated to pay any contracts that other people entered into while on the computer. The FTC suit also names Easton Herd and Andrew M. Garroni of Los Angeles in the suit. The Dog was unable to reach Herd, Garroni, or Popcorn.net for comments.

The state of Washington is also taking action against Herd, Garroni, and Popcorn.net for allegedly violating the state’s Computer Spyware Act, which prohibits hijacking a person’s computer, changing security settings, and preventing users from removing spyware. The state said both Herd and Garroni could be fined $100,000 per violation of state law and $2,000 under the Consumer Protection Act.

Movieland.com and Popcorn.net might also be the target of a class-action suit that alleges the
company is violating California’s consumer protection laws. The firm of Manuel H. Miller said it plans to sue Popcorn.net to recoup consumers’ losses. “[The Popcorn.net software] is really one of the nastiest things I’ve ever seen,” said Jeff Schwartz, a spokesman for the firm, who said his own father was a victim. Schwartz said readers who want more information on the planned suit can visit www.manuelhmiller.com for more information.

From our Holiday 2006 Watchdog column

Maximum PC Extortionware RSS Feed