August 23rd, 2007

Monster.com shuts down rogue server linked to data theft

Posted by Ryan Naraine @ 1:50 pm

Categories: Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, Metasploit, Open source, Oracle, Passwords, Patch Watch, Pen testing, Privacy, Responsible disclosure, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research

Tags: Monster, Server, Ryan Naraine

Monster.com has shut down a rogue server that was accessing its database to hijack personal information from about 1.3 million job seekers.

In a statement issued today, the company said most of the affected job hunters were based in the U.S.

As previously reported, the information contained on this server was limited to names, addresses, phone numbers and email addresses. Based on Monster’s thorough review, no other details, including bank account numbers, were uploaded.

Monster is working closely with the appropriate regulatory agencies and law enforcement authorities on this issue. Currently, the Company is reaching out to impacted individuals to alert them. As part of its communications, Monster is in the process of informing these individuals on the appropriate precautionary steps to protect themselves from any fraudulent emails claiming to be from Monster and asking for personal details.

The Monster.com statement comes on the heels of Symantec’s discovery of Infostealer.Monstres, a Trojan horse rigged to steal sensitive information from the compromised computer and targets Monster.com users when they post data online.

According to Symantec’s Amado Hildalgo, the rogue server was making connections to hiring.monster.com and recruiter.monster.com, two sub-domains used by recruiters and human resources personnel to search for potential candidates and post jobs to Monster.

[The] Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields. The Trojan sends HTTP commands to the Monster.com Web site to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches.The personal details of those candidates, such as name, surname, email address, country, home address, work/mobile/home phone numbers and resume ID, are then uploaded to a remote server under the control of the attackers.