FAQ: The Monster.com mess

Job search site looting goes back weeks, maybe months

The last thing you need when you're unemployed is a bank account that's suddenly emptied. But that's exactly what some unwary users of employment search site Monster.com faced after identity thieves made off with the personal information of more than a million people looking for jobs.

This still-developing story has enough nooks and crannies to confuse a gumshoe, but some facts are clear: Monster's resume database was looted, and the personal information taken was used to forge convincing messages that deposited password-stealing Trojans and ransomware on users' PCs.

Calculated and ambitious, the attack is striking for how it blended several elements -- stolen credentials of legitimate users, phishing e-mails, Trojan horses, money mules and more -- into a slick assault. Here's what we know so far.

Was Monster.com hacked? No, as Symantec said immediately. Instead, the attackers accessed the resume database with legitimate usernames and passwords, probably stolen from professional recruiters and human resource personnel who use the "Monster for employers" section of the site to look for job candidates. But it wasn't until Thursday that Monster.com admitted as much. "By gaining unauthorized access to employer accounts, the software was obtaining job seeker contact information," a new alert said.

What was snatched from the database? Names, e-mail addresses, mailing addresses, phone numbers and resume IDs, said Symantec. Yesterday, Monster.com added that only about 5,000 of the people whose data was filched live outside the U.S. That squares with what Symantec's Amado Hidalgo said in an e-mail: The information-stealing Trojan was hard-coded to dig through only the "hiring.monster.com" and "recruiter.monster.com" domains, limiting their theft to the Monster USA site's database. "They only targeted the U.S. Monster site and not any other international Monster [Worldwide] Inc. sites, such as those in the U.K., Spain, etc.," said Hidalgo.

How was the information stolen? The Infostealer.Monstres Trojan runs batch searches by sending HTTP commands to the Monster Web site to navigate through folders, said Hidalgo. The malware then parses the output that appears in a pop-up window that holds the job seeker profiles that match the search criteria. Essentially, the Trojan worked as an automated search bot that located candidates, captured their contact information and sent it to a remote server controlled by the criminals. Symantec said that the server, though located in Russia, was hosted by a company out of Ukraine.

By using Infostealer.Monstres to do their harvesting, the attackers also covered their tracks -- the Trojan could be planted on any computer previously compromised, with the search seemingly originating with that computer's owner -- and could easily spread the work out among a number of IP addresses, probably to slip under any Monster radar potentially watching for unusually large numbers of search requests coming from any one location. (There is no evidence at the moment that Monster deploys such radar.)

How many people are affected? Initially, Symantec's researchers played it vague, saying only that "several hundred thousand" were at risk. Thursday, though, Monster said that it had found contact information on the hackers' server for about 1.3 million people who had posted resumes. The other number that's been bandied about -- 1.6 million -- represents the tally of contact entries Symantec counted on the server last week; a significant number of Monster users apparently post more than one resume.

How did the hackers manage to grab so many contract records without Monster.com noticing? That's a good question. Monster itself hinted at one explanation: automated searches like the ones Infostealer.Monstres ran aren't unusual. "Many of our customers use automatic or semiautomatic means to search our database," said Monster spokesman Steve Sylven last Sunday. "Moreover, many of our larger customers rely heavily on our database, and their use may be similar to programmatic or scripted access." Translation: The searches conducted by the bigger Monster customers are as bot-like as those run by the Trojan.

The thieves also probably relied on some standard tactics to avoid detection, including running the searches from innocent PCs and spreading out the work (see "How was the information stolen?" above). Spammers and malware spreaders use zombies to send junk mail and malware for the same reasons.

What did the criminals do with the Monster data once they had it? No one's arguing the facts: personal information purloined from the Monster resume database was used to create, then send, targeted phishing e-mails -- the term is "spear phishing" -- that spread other malicious software or recruited "money mules," the middlemen who transfer money from a phished bank account to a foreign bank account. It's the emphasis where Monster and Symantec part.

Monster has focused on the mule-recruiting angle or even depicted those e-mails as run-of-the-mill phishing. "The purpose of gathering this information appears to be sending email disguised as Monster in order to gain recipients' trust, and then attempting to convince users to engage in financial transactions," the company now says on its revised security alert. Only in passing does it also call out "or lure them into downloading malicious software."

That, however, is the prime use of the stolen information, said Symantec's Hidalgo, who traced connections between Infostealer.Monstres and at least two other Trojans. The first, Banker.c, watches for, steals, then transmits back to hacker HQ online banking log-in information for accounts at Bank of America and the German arm of Citibank. The second, Gpcoder.e, is "ransomware," a Trojan that encrypts files on the infected PC's hard drive, then informs its owner that the files will be unusable until a fee is paid. In Gpcoder.e's case, the ransom was $300.

What good does the other stolen information do the thieves? Two words: response rate. According to research (PDF format) conducted by an Indiana University team in 2005, people are much more likely to click or give up information if the message contains clues of legitimacy, as when the message appears to come from a close friend. In fact, 72% of the people in the study who received phishing mail from someone in their social network took the bait and divulged their log-on information, four and a half times the number in the control group.

Spear phishing, then, can be incredibly effective, at least from the criminals' point of view. By using the Monster resume data to target the recipient and flesh out the e-mail with the recipient's real name -- often usually difficult or impossible to guess from the e-mail address itself -- the crooks can expect more people to let down their guard and actually launch the attached file. (In the case of Gpcoder.e, the file posed as Monster Job Seeker Tool, fictitious software of course, but likely enough to get people to click; when they did, they installed the Trojan, not a job search assistant.)

So the goal of the attackers is...what? Bank account log-ons, clearly. Ransomware, though not uncommon, usually flops because someone -- often one or more security vendors -- cracks the encryption used to lock up the files and makes that public, eliminating the need to pay up.

Another clue that bank accounts are the endgame is the effort spent on recruiting money mules. The group wouldn't need mules unless it had, or anticipated having, access to bank accounts.

When did this start? We don't know, and so far, Monster has not talked about this. But one self-described Monster user claimed here to have received money-mule messages between June 3 and June 13, and had reported them to Monster. "Monster only said it was not from them and did not admit that they had let my information get away from them," said "Anonymous." Symantec first alerted Monster of its findings last Friday, Aug. 17, both the security company and Monster have said.

Evidence of the Gpcoder.e seeding -- using phony Monster messages touting a nonexistent tool -- goes back at least as far as early July, according to analysis by U.K.-based security company Prevx Ltd. It may have started days or even weeks before that.

Some reports, in fact, have claimed users started seeing phishing mail built atop the stolen personal information as early as February of this year.

What can Monster users do to protect themselves? For the 1.3 million whose resumes have been pillaged, it's too late; the horse has left the barn. Even so, some users decided to cancel their accounts as a way to block any future malware-based searches. "I can still search for jobs and submit my resume to postings, but employers/recruiters cannot find me in their searches," said a Chicago user identified as "Greg" in a comment on a Computerworld story that ran Thursday. "I certainly would encourage others to protect themselves and delete their Monster accounts as well."

Monster hasn't disabled batch or automated searches, or if it has, it's not said as much. (On Sunday, company spokesman Steve Sylven seemed to say that because large corporate customers of the service used automated searches, banning them would be out of the question.) It has, however, shut down the server that the gang was using to store its stolen data and presumably disabled the legitimate accounts used to access the database. (Symantec's Hidalgo said last week that his team had forwarded those accounts to Monster.) We say "presumably" because while we have asked Monster if those accounts have been closed, the company has not explicitly acknowledged doing so.

Other than that, the only advice being given by Monster or Symantec is the usual: Be suspicious of all unsolicited, unanticipated e-mail, run up-to-date antivirus software -- to stop Trojans such as Banker.c or Gpcoder.e at the door -- and refuse to give out personal information.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon