Update: Hackers jack Monster.com, infect job hunters
Monster confirms attack, hints Russian Business Network at fault; questions remain
Computerworld - Monster.com confirmed Tuesday that it took down a portion of its online job search service after attackers hacked the site and used it to feed exploits to visitors.
The Maynard, Mass.-based company did not, however, explain how the hackers were able to hijack the site.
Researchers began reporting the attacks Monday after detecting IFrame exploits on several Monster.com pages as well as attacks by a multi-exploit hacker tool kit originating from those pages. By Monday evening, the Monster Company Boulevard, a section of the site that lets job hunters research firms and search for positions by company, was dark. Among the major American companies represented on the Boulevard are Boeing, Dow, Microsoft, Starbucks and Wal-Mart.
Job seekers who used that portion of Monster.com before the site was yanked were attacked by Neosploit, an exploit tool kit similar to the better-known Mpack, said Roger Thompson, chief technology officer at Exploit Prevention Labs Inc. "A typical infective URL was http://company.monster.com/toyfs/, which is Toyota [Financial's section]," said Thompson in an instant message exchange Monday night. "Or http://company.monster.com/bestbuy, which is Best Buy's."
The injection of the malicious IFrame code into the Monster.com site probably happened Monday, he added. "It was interesting that we got five or so hits in the space of a few hours today, but none before that. I think it happened [Monday]," he said.
Like many other IFrame exploits, this one silently redirected users' browsers to another site hosting Neosploit. At least one of the exploit sites Thompson identified has a connection to the notorious Russian Business Network (RBN), the hacker and malware hosting network that recently shifted operations to China, then mysteriously abandoned the IP blocks it had acquired there.
The IP address of the exploit site is assigned to a server in Australia that is part of the "myrdns.com" domain, which, in turn, is registered to a Hong Kong Internet service provider called HostFresh Internet. Both HostFresh and myrdns.com have been linked to RBN activities, including the long-running IFrame Cash scheme, in which RBN pays Web site owners a commission for injecting IFrame exploits on other sites.
Monday afternoon, Thompson said he had just started digging into the Monster.com hack. "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500," he said on his blog.
On Tuesday, Monster.com acknowledged the attacks but downplayed their extent. "A malicious attack inserted code into [some] pages, which could cause certain unprotected computer systems to download a virus," said Steve Sylven, Monster's public relations manager, in an e-mail Tuesday afternoon. "The virus is detectable by most major antivirus software, and this issue should not affect users running Windows with the most recent security updates from Microsoft. In addition, we believe only an extremely small percentage of those using the site this week were potentially exposed prior to those pages being cleaned."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts