Update: Hackers jack Monster.com, infect job hunters

Computerworld - Monster.com confirmed Tuesday that it took down a portion of its online job search service after attackers hacked the site and used it to feed exploits to visitors.

The Maynard, Mass.-based company did not, however, explain how the hackers were able to hijack the site.

Researchers began reporting the attacks Monday after detecting IFrame exploits on several Monster.com pages as well as attacks by a multi-exploit hacker tool kit originating from those pages. By Monday evening, the Monster Company Boulevard, a section of the site that lets job hunters research firms and search for positions by company, was dark. Among the major American companies represented on the Boulevard are Boeing, Dow, Microsoft, Starbucks and Wal-Mart.

Job seekers who used that portion of Monster.com before the site was yanked were attacked by Neosploit, an exploit tool kit similar to the better-known Mpack, said Roger Thompson, chief technology officer at Exploit Prevention Labs Inc. "A typical infective URL was http://company.monster.com/toyfs/, which is Toyota [Financial's section]," said Thompson in an instant message exchange Monday night. "Or http://company.monster.com/bestbuy, which is Best Buy's."

The injection of the malicious IFrame code into the Monster.com site probably happened Monday, he added. "It was interesting that we got five or so hits in the space of a few hours today, but none before that. I think it happened [Monday]," he said.

Like many other IFrame exploits, this one silently redirected users' browsers to another site hosting Neosploit. At least one of the exploit sites Thompson identified has a connection to the notorious Russian Business Network (RBN), the hacker and malware hosting network that recently shifted operations to China, then mysteriously abandoned the IP blocks it had acquired there.

The IP address of the exploit site is assigned to a server in Australia that is part of the "myrdns.com" domain, which, in turn, is registered to a Hong Kong Internet service provider called HostFresh Internet. Both HostFresh and myrdns.com have been linked to RBN activities, including the long-running IFrame Cash scheme, in which RBN pays Web site owners a commission for injecting IFrame exploits on other sites.

According to an anonymous blogger who tracks the RBN, other myrdsn.com/HostFresh IP addresses were involved in the Bank of India hack in August.

Monday afternoon, Thompson said he had just started digging into the Monster.com hack. "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500," he said on his blog.

On Tuesday, Monster.com acknowledged the attacks but downplayed their extent. "A malicious attack inserted code into [some] pages, which could cause certain unprotected computer systems to download a virus," said Steve Sylven, Monster's public relations manager, in an e-mail Tuesday afternoon. "The virus is detectable by most major antivirus software, and this issue should not affect users running Windows with the most recent security updates from Microsoft. In addition, we believe only an extremely small percentage of those using the site this week were potentially exposed prior to those pages being cleaned."