Update: Hackers jack Monster.com, infect job hunters
Monster confirms attack, hints Russian Business Network at fault; questions remain
Computerworld - Monster.com confirmed Tuesday that it took down a portion of its online job search service after attackers hacked the site and used it to feed exploits to visitors.
The Maynard, Mass.-based company did not, however, explain how the hackers were able to hijack the site.
Researchers began reporting the attacks Monday after detecting IFrame exploits on several Monster.com pages as well as attacks by a multi-exploit hacker tool kit originating from those pages. By Monday evening, the Monster Company Boulevard, a section of the site that lets job hunters research firms and search for positions by company, was dark. Among the major American companies represented on the Boulevard are Boeing, Dow, Microsoft, Starbucks and Wal-Mart.
Job seekers who used that portion of Monster.com before the site was yanked were attacked by Neosploit, an exploit tool kit similar to the better-known Mpack, said Roger Thompson, chief technology officer at Exploit Prevention Labs Inc. "A typical infective URL was http://company.monster.com/toyfs/, which is Toyota [Financial's section]," said Thompson in an instant message exchange Monday night. "Or http://company.monster.com/bestbuy, which is Best Buy's."
The injection of the malicious IFrame code into the Monster.com site probably happened Monday, he added. "It was interesting that we got five or so hits in the space of a few hours today, but none before that. I think it happened [Monday]," he said.
Like many other IFrame exploits, this one silently redirected users' browsers to another site hosting Neosploit. At least one of the exploit sites Thompson identified has a connection to the notorious Russian Business Network (RBN), the hacker and malware hosting network that recently shifted operations to China, then mysteriously abandoned the IP blocks it had acquired there.
The IP address of the exploit site is assigned to a server in Australia that is part of the "myrdns.com" domain, which, in turn, is registered to a Hong Kong Internet service provider called HostFresh Internet. Both HostFresh and myrdns.com have been linked to RBN activities, including the long-running IFrame Cash scheme, in which RBN pays Web site owners a commission for injecting IFrame exploits on other sites.
Monday afternoon, Thompson said he had just started digging into the Monster.com hack. "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500," he said on his blog.
On Tuesday, Monster.com acknowledged the attacks but downplayed their extent. "A malicious attack inserted code into [some] pages, which could cause certain unprotected computer systems to download a virus," said Steve Sylven, Monster's public relations manager, in an e-mail Tuesday afternoon. "The virus is detectable by most major antivirus software, and this issue should not affect users running Windows with the most recent security updates from Microsoft. In addition, we believe only an extremely small percentage of those using the site this week were potentially exposed prior to those pages being cleaned."
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!