A Symantec Security Response posting suggests that Monster.com, the huge job hunting website, has been subject to an online attack resulting in the theft of personal data in the form of resumes of its users.
"We analyzed a sample of a new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Web site, Monster.com" the posting reveals, continuing "It was also uploading data to a remote server. When we accessed this remote server, we found over 1.6 million entries with personal information belonging to several hundred thousand people."
Further investigation revealed that only connections to the subdomains of hiring.monster.com and recruiter.monster.com were being made by the Trojan, both subdomains used by employers searching for potential employees at the site. Importantly, this part of the site requires those recruitment personnel to log in if they want to view any information on candidates. No surprise then, to discover that the Infostealer.Monstres Trojan is using a number of recruiter logins to do just that.
Rather than being a security breach in the traditional sense, it would appear therefore that what we have here is actually a fairly sophisticated data harvesting bot in action. Once logged in it searches, using the available tools at Monster.com, for the resumes of candidates dependent upon location or business sector and parses the output from the matching profile pop-ups.
So why go to all this trouble to harvest information that is, pretty much, in the public domain? We are talking about names, addresses, telephone numbers and, oh yes, email contact details here. The latter gives the biggest clue, as the resulting database is something of a spam outfit treasure chest. Because of the demographically targeted nature of the harvesting, there is much value to be added to the basic spam address list in this case. Symantec reports that it discovered the Trojan can indeed be instructed to send spam using a mail template downloaded from the command and control server.
Infostealer.Monstres shares a main file, ntos.exe, with Trojan.Gpcoder.E which is believed to have been involved in the spamming of Monster.com related phishing scams. And here lies the real rub of the latest attack, those phishing scams rely upon being as realistic as possible in gaining the confidence of the recipient. Realistic as in containing the type of personal data found in the resumes of the people so targeted perhaps?
Trojan.Gpcoder.E is a nasty piece of work, once installed after the user will encrypt files on the host computer. A text message is then displayed requesting money in order for those files to be unencrypted. Although rare, this type of virtual blackmail is not unknown. The fact that the source code of both Gpcoder and Monstres is so similar would suggest the same criminal outfit is behind the schemes.
The issue that needs to be addressed by Monster.com, and indeed the people who freely submit so much valuable personal data to such sites, is one of a basic expectation to privacy. This was not a hack, as has been widely reported in the online media, this was just an inevitable exploitation of a business practise that has been begging to be exploited for years. Indeed, who is to say that people have not been harvesting this data for years without being noticed? Were it not for the use of the Trojan in this case, it is doubtful whether the scam would have come to the attention of Symantec or anyone else for that matter.
Of course, while it is perfectly acceptable and indeed ethical to use a disposable email address for your contact point within such an online resume, things start to get a little cloudy if you try and obscure to much other personal information. Employers are not going to continue using a service which only provides them with potential employees who have lied about their name, location, age and credentials after all. It's a tricky one for Monster.com, but a solution needs to be found if the data harvesting is not to continue.
One thing is for sure, protecting the privacy of your users is not an optional thing, it is essential if you want to continue in business as those users become ever more aware of the risks of allowing such data to be exposed to spammers and scammers as well as potential employers.