The last thing you need when you're unemployed is a bank account that's suddenly emptied. But that's exactly what some unwary users of US employment search site Monster.com faced after identity thieves made off with the personal information of more than a million people looking for jobs.
This still-developing story has enough nooks and crannies to confuse a gumshoe, but some facts are clear: Monster's resume database was looted, and the personal information taken was used to forge convincing messages that deposited password-stealing Trojans and ransomware on users' PCs.
Calculated and ambitious, the attack is striking for how it blended several elements -- stolen credentials of legitimate users, phishing e-mails, Trojan horses, money mules and more -- into a slick assault. Here's what we know so far.
Was Monster.com hacked? No, as Symantec said immediately. Instead, the attackers accessed the resume database with legitimate usernames and passwords, probably stolen from professional recruiters and human resource personnel who use the "Monster for employers" section of the site to look for job candidates. But it wasn't until Thursday that Monster.com admitted as much. "By gaining unauthorized access to employer accounts, the software was obtaining job seeker contact information," a new alert said.
What was snatched from the database? Names, e-mail addresses, mailing addresses, phone numbers and resume IDs, said Symantec. Yesterday, Monster.com added that only about 5,000 of the people whose data was filched live outside the U.S. That squares with what Symantec's Amado Hidalgo said in an e-mail: The information-stealing Trojan was hard-coded to dig through only the "hiring.monster.com" and "recruiter.monster.com" domains, limiting their theft to the Monster USA site's database. "They only targeted the U.S. Monster site and not any other international Monster sites," said Hidalgo.
How was the information stolen? The Infostealer.Monstres Trojan runs batch searches by sending HTTP commands to the Monster Web site to navigate through folders, said Hidalgo. The malware then parses the output that appears in a pop-up window that holds the job seeker profiles that match the search criteria. Essentially, the Trojan worked as an automated search bot that located candidates, captured their contact information and sent it to a remote server controlled by the criminals. Symantec said that the server, though located in Russia, was hosted by a company out of Ukraine.
By using Infostealer.Monstres to do their harvesting, the attackers also covered their tracks -- the Trojan could be planted on any computer previously compromised, with the search seemingly originating with that computer's owner -- and could easily spread the work out among a number of IP addresses, probably to slip under any Monster radar potentially watching for unusually large numbers of search requests coming from any one location. (There is no evidence at the moment that Monster deploys such radar.)
How many people are affected? Initially, Symantec's researchers played it vague, saying only that "several hundred thousand" were at risk. Thursday, though, Monster said that it had found contact information on the hackers' server for about 1.3 million people who had posted resumes. The other number that's been bandied about -- 1.6 million -- represents the tally of contact entries Symantec counted on the server last week; a significant number of Monster users apparently post more than one resume.
How did the hackers manage to grab so many contract records without Monster.com noticing? That's a good question. Monster itself hinted at one explanation: automated searches like the ones Infostealer.Monstres ran aren't unusual. "Many of our customers use automatic or semiautomatic means to search our database," said Monster spokesman Steve Sylven last Sunday. "Moreover, many of our larger customers rely heavily on our database, and their use may be similar to programmatic or scripted access." Translation: The searches conducted by the bigger Monster customers are as bot-like as those run by the Trojan.
The thieves also probably relied on some standard tactics to avoid detection, including running the searches from innocent PCs and spreading out the work (see "How was the information stolen?" above). Spammers and malware spreaders use zombies to send junk mail and malware for the same reasons.
What did the criminals do with the Monster data once they had it? No one's arguing the facts: personal information purloined from the Monster resume database was used to create, then send, targeted phishing e-mails -- the term is "spear phishing" -- that spread other malicious software or recruited "money mules," the middlemen who transfer money from a phished bank account to a foreign bank account. It's the emphasis where Monster and Symantec part.
Monster has focused on the mule-recruiting angle or even depicted those e-mails as run-of-the-mill phishing. "The purpose of gathering this information appears to be sending email disguised as Monster in order to gain recipients' trust, and then attempting to convince users to engage in financial transactions," the company now says on its revised security alert. Only in passing does it also call out "or lure them into downloading malicious software."
That, however, is the prime use of the stolen information, said Symantec's Hidalgo, who traced connections between Infostealer.Monstres and at least two other Trojans. The first, Banker.c, watches for, steals, then transmits back to hacker HQ online banking log-in information for accounts at Bank of America and the German arm of Citibank. The second, Gpcoder.e, is "ransomware," a Trojan that encrypts files on the infected PC's hard drive, then informs its owner that the files will be unusable until a fee is paid. In Gpcoder.e's case, the ransom was US$300.