Resumes: A Favorite Phishing Hole for Spammers

A data theft revealed over the weekend of some 1.6 million records from Monster.com does not raise issues of identity theft, the employment Web site asserted.

"[T]here have been reports of this as an issue of 'identify theft,'" Monster Vice President of Compliance and Fraud Prevention Patrick W. Manzo said. "We are not aware of any cases of identity theft. In fact, the information that is gathered from Monster is not different than that displayed in a phone book -- i.e. generic contact information."

The record theft, Manzo maintained, was not a breach of the company's security systems.

"To the best of our knowledge, this is not a 'hack' of Monster's security -- rather, legitimate customer credentials are being used to log into the database," Manzo said.

"We are investigating the reports related to this Trojan and will take all necessary steps to mitigate the issue, including terminating any account used for illegitimate purposes," he added.

Info Stealing Monsters

The data theft at Monster came to light last Friday in a blog entry at the Web site of security software maker Symantec (Nasdaq: SYMC), of Cupertino, Calif.

"Yesterday, we analyzed a sample of a new Trojan, called 'Infostealer.Monstres,' which was attempting to access the online recruitment Web site, Monster.com," Symantec researcher Amado Hidalgo wrote in the blog.

"It was also uploading data to a remote server," he continued. "When we accessed this remote server, we found over 1.6 million entries with personal information belonging to several hundred thousand people.

"Upon further investigation, the Trojan appears to be using the (probably stolen) credentials of a number of recruiters to log in to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields."

'Spammer's Fantasy Land'

"It's a spammer's fantasy land of information," Symantec product manager Mimi Hoang told the E-Commerce Times.

"By stealing the information from Monster and customizing it, they can target it and send out convincing phishing e-mails that will install other malicious malware to get more personal information," she added.

Resumes are highly prized in the identity theft community, according to Pam Dixon, executive director of the World Privacy Forum in San Diego, Calif.

"Resumes are gold in the hands of identity thieves, especially if it's a more organized kind of theft ring, because you can take the identities and match it up with geographical information and then just buy the SSNs [Social Security Numbers] and make a whole lot more cash," she told the E-Commerce Times.

Car Group

There is evidence that such an organized effort may be involved in the Monster data theft.

As Symantec was reporting on Infostealer.Monstres, SecureWorks, of Atlanta, reported in a blog at its Web site that it had discovered a cache of data stolen by a Trojan called "Prg."

"The data, which includes bank and credit card account information, SSNs, online payment account user names and passwords and other personal information, is from 46,000 victims who were all individually infected," wrote SecurityWorks researcher Don Jackson.

"The infection began in early May," he continued. "The victims are being infected and reinfected by ads on various online job sites. The hackers behind this scam are running ads on job sites and are injecting those ads with the Trojan."

Reportedly, the server caching the data stolen by the Trojan is one of 20 worldwide doing so. Twelve of those servers, including the one discovered by Jackson, are being operated by a single group of hackers known as the "Car Group," for their penchant for naming their malware after auto makers.

Familiar Modus Operandi

The attack on Monster is following an M.O. all too familiar to malware fighters.

"Monster has a high-profile name, but it's not unlike any other database that becomes compromised by someone with legitimate credentials who loses those credentials or makes them available to someone else," Ron O'Brien, a senior security analyst with security software maker Sophos, of Burlington, Mass., told the E-Commerce Times.

"What we're seeing today are very targeted attacks that use a combination of techniques," Symantec's Hoang added. "The end result is getting into people's personal and financial information for financial gain."