The mess

Job search site looting goes back weeks, maybe months

The last thing you need when you're unemployed is a bank account that's suddenly emptied. But that's exactly what some unwary users of US employment search site faced after identity thieves made off with the personal information of more than a million people looking for jobs.

This still-developing story has enough nooks and crannies to confuse a gumshoe, but some facts are clear: Monster's resume database was looted, and the personal information taken was used to forge convincing messages that deposited password-stealing Trojans and ransomware on users' PCs.

Calculated and ambitious, the attack is striking for how it blended several elements -- stolen credentials of legitimate users, phishing e-mails, Trojan horses, money mules and more -- into a slick assault. Here's what we know so far.

Was hacked? No, as Symantec said immediately. Instead, the attackers accessed the resume database with legitimate usernames and passwords, probably stolen from professional recruiters and human resource personnel who use the "Monster for employers" section of the site to look for job candidates. But it wasn't until Thursday that admitted as much. "By gaining unauthorized access to employer accounts, the software was obtaining job seeker contact information," a new alert said.

What was snatched from the database? Names, e-mail addresses, mailing addresses, phone numbers and resume IDs, said Symantec. Yesterday, added that only about 5,000 of the people whose data was filched live outside the U.S. That squares with what Symantec's Amado Hidalgo said in an e-mail: The information-stealing Trojan was hard-coded to dig through only the "" and "" domains, limiting their theft to the Monster USA site's database. "They only targeted the U.S. Monster site and not any other international Monster sites," said Hidalgo.

How was the information stolen? The Infostealer.Monstres Trojan runs batch searches by sending HTTP commands to the Monster Web site to navigate through folders, said Hidalgo. The malware then parses the output that appears in a pop-up window that holds the job seeker profiles that match the search criteria. Essentially, the Trojan worked as an automated search bot that located candidates, captured their contact information and sent it to a remote server controlled by the criminals. Symantec said that the server, though located in Russia, was hosted by a company out of Ukraine.

By using Infostealer.Monstres to do their harvesting, the attackers also covered their tracks -- the Trojan could be planted on any computer previously compromised, with the search seemingly originating with that computer's owner -- and could easily spread the work out among a number of IP addresses, probably to slip under any Monster radar potentially watching for unusually large numbers of search requests coming from any one location. (There is no evidence at the moment that Monster deploys such radar.)

How many people are affected? Initially, Symantec's researchers played it vague, saying only that "several hundred thousand" were at risk. Thursday, though, Monster said that it had found contact information on the hackers' server for about 1.3 million people who had posted resumes. The other number that's been bandied about -- 1.6 million -- represents the tally of contact entries Symantec counted on the server last week; a significant number of Monster users apparently post more than one resume.

How did the hackers manage to grab so many contract records without noticing? That's a good question. Monster itself hinted at one explanation: automated searches like the ones Infostealer.Monstres ran aren't unusual. "Many of our customers use automatic or semiautomatic means to search our database," said Monster spokesman Steve Sylven last Sunday. "Moreover, many of our larger customers rely heavily on our database, and their use may be similar to programmatic or scripted access." Translation: The searches conducted by the bigger Monster customers are as bot-like as those run by the Trojan.

The thieves also probably relied on some standard tactics to avoid detection, including running the searches from innocent PCs and spreading out the work (see "How was the information stolen?" above). Spammers and malware spreaders use zombies to send junk mail and malware for the same reasons.

What did the criminals do with the Monster data once they had it? No one's arguing the facts: personal information purloined from the Monster resume database was used to create, then send, targeted phishing e-mails -- the term is "spear phishing" -- that spread other malicious software or recruited "money mules," the middlemen who transfer money from a phished bank account to a foreign bank account. It's the emphasis where Monster and Symantec part.

Monster has focused on the mule-recruiting angle or even depicted those e-mails as run-of-the-mill phishing. "The purpose of gathering this information appears to be sending email disguised as Monster in order to gain recipients' trust, and then attempting to convince users to engage in financial transactions," the company now says on its revised security alert. Only in passing does it also call out "or lure them into downloading malicious software."

That, however, is the prime use of the stolen information, said Symantec's Hidalgo, who traced connections between Infostealer.Monstres and at least two other Trojans. The first, Banker.c, watches for, steals, then transmits back to hacker HQ online banking log-in information for accounts at Bank of America and the German arm of Citibank. The second, Gpcoder.e, is "ransomware," a Trojan that encrypts files on the infected PC's hard drive, then informs its owner that the files will be unusable until a fee is paid. In Gpcoder.e's case, the ransom was US$300.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?