Monster.com Trojan recruits 'money mules' from victim pool

Computerworld - The Trojan responsible for stealing more than 1.6 million personal records from Monster.com uses that information to build targeted spam that offers recipients lucrative, but illegal, money laundering jobs, effectively turning some victims into criminal accomplices, said Symantec Corp. today.

Monster.com, meanwhile, said today it had shut down the server used to store the stolen resume information.

Earlier this week, Symantec fingered Infostealer.Monstres for using stolen Monster.com log-ons to run automated searches that have collected information on hundreds of thousands who have posted their resumes on the job search site.

Criminals then used the stolen names, e-mail addresses, home address, phone numbers and resume identification numbers to create convincing e-mail messages that contained malicious code. Some of those messages included Banker.c, a password-stealing Trojan horse that monitored the infected PC for log-ons to online banking accounts. When it sniffed a log-on in process, Banker.c recorded the username and password, then transmitted the data back to the hacker server that Monster.com shuttered today.

But Monstres is also equipped to recruit criminal collaborators, said Vikram Thakur, another Symantec researcher, in a post to the company's blog. By pinging the now-offline server, the Trojan could download several e-mail templates used to churn out a variety of messages touting a get-rich-quick scheme.

"The templates [we] acquired all point to the same position," said Thakur. "The job is that of a 'Transfer Manager' at an investment company. The job description states that the position would entail facilitating financial transactions made by the clients of the investment company."

"What we offer you is something more than just a job -- it's the opportunity to earn really big money without having to work much," read one of the templates, which plugged in the stolen Monster.com information to personalize the e-mail, and legitimize the message. "This job is not a full-time one -- you can work from 9 to 5 at some other place and use our service as a source of extra cash -- a lot of extra cash we should say," the same e-mail continued.

Among the job requirements, said the messages, were a new checking account with Bank of America. "We will require your bank account information from the newly opened account, needed only to forward wire transfers from your account."

Although the job offer didn't spell it out in so many words, it's clear that the work involves cleaning out accounts of phishing victims, possibly the very ones hit by the Banker.c Trojan. "Your task will be to process payments between our company and our clients with the bank checks using remote Internet operations," read one of the e-mailed job offers. "In each payment order there will be detailed instructions for you. It is a commission based position. We guarantee you will get about 10% from each processed payment."