Personal data stolen from hundreds of 1000s
Presuming this hasn't been posted already...
|US job website Monster.com has suffered an online attack with the personal data of hundreds of thousands of users stolen, says a security firm. |
A computer program was used to access the employers' section of website using stolen log-in credentials.
Symantec said the log-ins were used to harvest user names, e-mail addresses, home addresses and phone numbers, which were uploaded to a remote web server.
Symantec said it had seen reports of phishing e-mails sent out to Monster.com users which were "very realistic, containing personal information of the victims".
The e-mail encouraged users to download a Monster Job Seeker Tool, which was in fact a program that encrypted files in their computer and left a ransom note demanding money for their decryption.
"To the best of our knowledge, this is not a hack of Monster's security, rather, legitimate customer credentials are being used to log in to the database," said Patrick W. Manzo, vice president of compliance and fraud prevention at Monster.
I read the news article and I think 'breached' or 'hacked' are probably a bit aggressive terms to use for what seems to have happened. (Even though the general media will probably call it that on the TV or online.) I think 'harvested' is a better term for describing the situation. It sounds like a computer program logged into Monster.com as an employer using valid credentials and then harvested names, addresses, etc. from potential job seekers. Then they used this information to spam the users and try to trick them into downloading a fake toolbar app.
It appears that a trojan was used to obtain Monster.com login credentials but that is more of an issue with the personal computers of the employers who have a Monster.com account. Unfortunately Monster.com is going to get the bad PR but it already sounds like they are trying to educate people that the same type of info was harvested that you can get from other public sources like a phonebook. (except of course email address which in this case is the method used to illegal solict the userbase and obviously the bigger issue)
Unless there is more to the story I would have to think this type of problem could occur for any number of websites that offer opportunities for one user to view the profiles of other users. Oh wait....there are HUNDREDS of these types of sites.
I haven't sussed it out... Is this case seperate from the trojan job ads on Monster (and others)? It sounds like it.
InformationWeek: Phony Ad On Job Sites Leads To 100,000 Stolen Identities [informationweek.com]
|Security researchers have unearthed the single largest cache of stolen identities, thanks in part to a Trojan stealing the data that has been hidden in a fraudulent advertisement on online job sites like Monster.com. |
The data, which includes bank and credit card account information, Social Security numbers, online payment account usernames and passwords, comes from victims who were all individually infected with the Trojan beginning in early May.
The willingness of people to enter whatever a form asks them for will never cease to amaze me...!
Yes, I had a client that had a similar problem - they eventually had to limit access to US-only visitors. There are still some issues with US visitors, but it decreased the fraud by 95%. Obviously Monster couldn't do this, but I feel their pain..
ouch, that bites on both of these accounts.
|I haven't sussed it out... Is this case seperate from the trojan job ads on Monster (and others)? It sounds like it. |
InformationWeek: Phony Ad On Job Sites Leads To 100,000 Stolen Identities
I just did fport on my machines and thankfully there isn't anything listening on port 6081 :) (or anything unusual on other ports)
--Unfortunately Monster.com is going to get the bad PR but it already sounds like they are trying to educate people that the same type of info was harvested that you can get from other public sources like a phonebook.--
You might well be correct, but for the general public it's going to be a little hard to believe that though. Why did this person go to all the trouble of harvesting info from Monster.com if they could have gotten it all perfectly legally from public sources?
In a related story..thousands of spams are buring the "firstname.lastname@example.org" account and paper mail is piling up for "nobody, 13 nowhere place, noneya city, Fla".
We recently posted a job opening an ad on Craigs list and got email bombed when I responded to one telling them they need to fax in their information. Argh. I've now had to set up a temp email account for those types of responses. Hate that.
As if the job boards don't spam me enough already, now their list gets stolen so I'll get even more fake job spams than before.
I posted a resume 4 or 5 years ago on monster.com and others, and I can't stop them from sending email. I still get jobs available listings in my local area. On top of that, I get quite a few spams from recruiting agencies.
And every once in awhile there is a barrage of spams related to positions available at Google.
So I suppose a few more jobs available spams won't make much difference.
I hope this will finally make job sites like this work a little harder to protect the privacy of both parties. This would have been very easy to stop by:
Email contact only via web-based form
No names of applicants - this only leads to prejudice anyway
Phone-numbers handled by calling a single number which forwards the call based on an entered ID number
Had those simple steps been taken then there would have been nothing worth harvesting.
A: Jul 2007: Monster decrease in mid-term profits lays off 15% of workforce
B: August 2007: Monster hacked, data stolen.
A + B = inside job?
lexipixel I was thinking the same thing! It will be interesting if they find out who did it and if they were a former employee.
|It will be interesting if they find out who did it and if they were a former employee. |
It could also be a current employee, or even the owners, selling the list to make some extra cash.
"...recently posted a job opening on Craigslist and got email bombed..."
Whenever I post on CL, I write "Please respond with your name and phone number and I'll call you ASAP". I use CL quite a bit a find 50% of the email I reply to generates a week of spam.
If I'm selling a car or renting out a room I sometimes put my phone number in the ad and no email (not even the anonymous CL address).
I think CL is a major cause of the drop in profits for Monster. I'm in the Boston, MA area and CL did free posts for everything for a couple years, a few months ago they started charging for JOBS listings --- which had a positive effect and got rid of all the scammers posting "Work From Home" and "Model Wanted" ads, no drop in overall real job listings.
CL definitely hurt the local newspaper "Help Wanted" section and it has to be hurting Monster.
CL is fast, easy to search, no hoops to jump through and people can still post under Gigs and Service (and other areas of CL) as "Work Wanted" or "Services Offered" for free -- I haven't been on Monster in a few years (and used to browse all the time looking for short term contract work), now I check CL and pick-up work there often.