By Gregg Keizer
August 19, 2007
The 46,000 people reportedly infected by ads on job sites may be only a
fraction of the victims of an ambitious, multi-stage attack that's
stolen data belonging to several hundred thousand people who posted
resumes on Monster.com, a researcher said this weekend.
According to Symantec Corp. security analyst Amado Hidalgo, a new Trojan
horse called Infostealer.Monstres by Symantec (and Prg by SecureWorks)
has stolen more than 1.6 million records belonging to several hundred
thousand people from the job search service Monster.com. That data is
then used to target the Monster.com users with credible phishing mail
that plants more malware on their machines.
"We are investigating the reports related to this Trojan and will take
any necessary steps indicated by that investigation," Monster.com
spokesman Steve Sylven said Sunday in an e-mail.
The personal information filched from Monster.com includes names, e-mail
addresses, home address, phone numbers, and resume ID number, said
Hidalgo, who traced the data to a remote server used by the attackers to
store the stolen information. Infostealer.Monstres ripped off
Monster.com by using legitimate log-ons, likely stolen from recruiters
and human resource personnel who have access to the "Monster for
employers" areas of the site. Once inside, the Trojan ran automated
searches for resumes of candidates located in certain countries or
working in certain fields. The results were then uploaded to the
attackers' remote server.
"Such a large database of highly personal information is a spammer's
dream," said Hidalgo. In fact, that's exactly what the attackers are
using their newly-acquired data for.
"The attackers first gather e-mail address and other personal
information from resumes posted to Monster.com with
Infostealer.Monstres," Hidalgo said. "Next, they will try to infect the
computers of those candidates by sending targeted Monster.com phishing
mails which install [Banker.c or Gpcoder.e]."
The first piece of malware, dubbed Banker.c by Symantec, is a
run-of-the-mill information-stealing Trojan that monitors the infected
PC for log-ons to online banking accounts; when it sniffs a log-on in
process, Banker.c records the username and password, then transmits the
data back to hacker HQ.
Gpcoder.e, on the other hand, is "ransomware," the name given to Trojans
which encrypt files on the hacked computer, then hold those files
hostage until the user pays a fee to unlock the data.
Although both Banker.c and Gpcoder.e may be distributed in other ways --
SecureWorks last week said it had spotted something like the former
coming from infected ads placed on job search sites --
Infostealer.Monstres' built-in mailing code and template lets it send
messages posing as missives from Monster.com straight to the job site
users it finds in its automated searches.
Infostealer.Monstres' second-stage attack, which uses Gpcoder, is
especially insidious. Realistic-looking e-mails that contain convincing
personal information -- the very information stolen from Monster.com --
instruct the recipient to download a program called "Monster Job Seeker
Tool." There is no tool, of course; victims download the ransomware
Hidalgo's research led him to conclude that the three pieces of code --
Infostealer.Monstres, Banker.c, and Gpcoder.e -- are related, and
probably the work of a single group.
"While their final purpose is different, their modus operandi is very
similar, using identical filenames, creating the same system folder,
injecting code into the same processes, and hooking the same system
functions using rootkit techniques to gain control of network
functionalities and to steal sensitive information," said Hidalgo. "They
share code and a number of traits that could indicate they were
developed by the same group or perhaps created using a kit."
Monster.com's Sylven defended the service's automated searches and said
that although the company monitors database activity, he said that
stolen credentials have been used in the past to access the system.
Moreover, it's difficult to tell a valid automated search generated by a
real person from one cranked out by software. "Many of our larger
customers rely heavily on our database and their use may be similar to
programmatic or scripted access," said Sylven.
He could not confirm that the stolen accounts had been disabled,
although Hidalgo noted in a blog posted Friday afternoon that Symantec
had notified Monster.com of the compromised log-ins. "When unusual
access is detected, we do terminate that access and investigate if
possible," Sylven said.
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!