Trojan Steals over 1 Million Records from Monster

A massive multistage attack has reportedly stolen data relating to over a million people who put up their resumes on the job site Monster.com, a researcher said. PCWorld.com published this in news on August 20, 2007.

According to Amado Hidalgo, security analyst at Symantec Corp., a new Trojan program that Symantec has named as Infostealer.Monstres has captured about 1.6 Million records from millions of people who have registered on the job-hunting service of Monster Worldwide Inc. The data was subsequently used to send phishing e-mails to users of Monster.com that would install malware on their computer systems.

The scam triggered off with the use of an earlier Trojan dubbed as 'Prg Trojan', which SecureWorks researcher, Don Jackson, had discovered. He said the scam fraudsters were posting ads on major job sites while injecting the Trojan into the ads. SC Magazine published this on August 17, 2007.

Monster.com spokesman Steve Sylven said that after three days of the scam, the company was investigating complaints about the Trojan's activities and is preparing to implement the necessary steps that the investigation indicates. PCWorld.com published this on August 17, 2007.

The personal information that was seized from Monster.com consisted of names, home address, e-mail address, phone number and resume Id number. Infostealer.Monstres snatched information from Monster.com by employing authentic log-ins that were possibly captured from human resource officials and recruiters who regularly access the "monster for employers" portion of the Website. Once the Trojan managed the entry into the site, it automatically searched resumes of applicants working in specific fields or based in specific countries. The Trojan then uploaded the results on the remote server of the attackers.

The attackers began their operations by collecting personal information and e-mail addresses from resumes available on Monster.com by using Infostealer.Monstres. Next, they infected those candidates' computers by sending phishing e-mails purporting to be from Monster.com that helped to install Gpcoder.e and Banker.c.

According to SecureWorks, although the two malware seemed to spread from infected ads on the job sites, the Infostealer.Monstres allows to send fake messages directly to the user Ids of Monster.com that it obtains by automated searches.

Related article: Trojans to Target VoIP in 2006

» SPAMfighter News - 9/6/2007