Slashdot Mirror

← Back to Stories (view on slashdot.org)

Monster.com Attacked, User Data Stolen

Posted by Zonk on from the rarr-snarl dept.

Placid writes "The BBC has an article detailing a successful attack on the US recruitment site, Monster.com. According to the article, 'A computer program was used to access the employers' section of the website using stolen log-in credentials' and that the stolen details were 'uploaded to a remote web server'. Apparently, this remote server 'held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website'. The article also links the break-in to a phishing e-mail sent out recently where personal details were used to entice users to download a 'Monster Job Seeker Tool.'"

21 of 196 comments (clear)

  1. Tomorrow's Ad today by JonTurner · · Score: 4, Funny

    Wanted:
    New sysadmin. Must have experience in data security. Submit resume to adminjob@monster.com

    1. Re:Tomorrow's Ad today by high_rolla · · Score: 5, Funny

      Yeah, followed by the new marketing campaign: "Nobody else makes it this easy for your details to reach more employers"

      --
      Ryans Tutorials - A collection of technology tutorials.
    2. Re:Tomorrow's Ad today by janrinok · · Score: 5, Interesting

      I don't agree. If you RTFA, you will see the the system was penetrated by using valid UIDs and passwords, which had been previously gathered using a phishing attack. Any system is vulnerable to such an attack and you can hardly line all up all sysadmins and have them shot - despite any justification that the odd one might actually deserve it. But I am surprised by the number of techies that fell for the phishing attack in the first instance.

      --
      Have a look at soylentnews.org for a different view
  2. Monster attack steals user data by Nibbler999 · · Score: 5, Insightful

    I like the BBC headline better.

    1. Re:Monster attack steals user data by ObsessiveMathsFreak · · Score: 4, Insightful

      I liked it when Slashdot got its tech stories before the mainstream news outlets.

      --
      May the Maths Be with you!
  3. Phishing Attack by grahamux · · Score: 4, Funny

    You know, every time I get an email telling me my Bank of America account is going to be frozen, and should go to http://myaccounts-bankofamerica.net/ I always ask myself "Who actually falls for this stuff?". Now, I know. The people I look to for jobs. /cheer

    --
    Doing the needful.
    1. Re:Phishing Attack by Farmer+Tim · · Score: 4, Funny

      What, you needed more evidence that your (potential) boss is an idiot?

      --
      Blank until /. makes another boneheaded UI decision.
    2. Re:Phishing Attack by timmarhy · · Score: 4, Insightful
      It seems to be a universal fact that to be in HR you need to always have an IQ lower then the people you are interviewing. It certainly has been in every company i've worked at.

      remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.

      --
      If you mod me down, I will become more powerful than you can imagine....
    3. Re:Phishing Attack by arivanov · · Score: 5, Insightful

      Err... You are missing the point.

      Monster.com was broken in for spearphishing, not for sending bulk emails regarding "Bank of America". Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.

      Recruitment agencies are actually a prime target for such attacks:

      1. Nearly all of them (even the specialised unix oriented ones) require all CVs in Microshit Word so pushing a custom Trojan is trivial.
      2. Nearly all of them systematically violate the Data Protection act and other similar statutes which require them to remove customer data from their databases when no longer needed. So far in the UK only 3% of the ones I have asked to remove my details have complied with the request. Amidst the most vile violators are the two biggest MOD oriented agencies and more than 50% of the top 20 (by job posting numbers).
      3. In addition to that apparently at least one UK (and international) jobboard also does not remove customer data even if you delete your accounts from there. As a result the agencies are re-fed your details on a regular basis.
      4. The agencies possess enough data for a perfect spearphish: date of birth, nationality, postal address, occupation, prior job history, current and past salaries as well as further background. In some cases where they have been subcontracted to do HR they possess even more data like NSNs/SSNs, credit ratings and the like.

      Frankly this is an industry that is in desperate need to be smacked with some vile regulation compared to which SOX and the recent health IT regs in the US are a child's play. They need to be straightened out and made to follow the laws of the land with regard to customer privacy. At the moment they are systematically ignoring them and in many cases they possess more of your personal information than your bank.

      So let's hope that the Monster case will cause some moves towards that.

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
  4. Hehe by JimboFBX · · Score: 5, Funny

    Last year, a British nurse was blackmailed by hackers who had used a Trojan to access her personal e-mails. I'll let you guys stew on how ambiguiously funny that sentence is.
  5. Symantec has a very detailed explanation of it by indraneil · · Score: 5, Informative

    Symantec's explanation
    The trojan (Called Infostealer.Monstres) seems to be using HR login details (possibly stolen) to access hiring.monster.com and recruiter.monster.com sub-domains and download candidate information. It also seems to be similar to a previously known trojan called Trojan.Gpcoder.E
    Symantec estimates that 1.6 million people (mostly from USA) have been impacted.
    They have informed Monster about it

  6. cue sound: by doyoulikeworms · · Score: 5, Funny

    M-M-M-Monster Kill (...kill...kill...kill...kill...)

  7. Re:Monster doesn't help anyway--why use it? by uptownguy · · Score: 5, Interesting

    Monster and Dice are just meat markets. Relatively few people actually get jobs there

    Craigslist all the way. I am operations manager for a small IT firm and we've hired our last ten people from Craigslist. The response rate is fantastic. In most major markets, posting an ad is still free (for now). I keep getting calls from a rep. at Monster every three to six months asking me to pay $300-$400 PER LISTING at Monster. I let them know that I am perfectly happy with the quality, quantity and cost of Craigslist. There's a long pause and then they say maybe they'll give me a call in three to six months to check up on me. It's a little silly and arrogant to think that everyone will be able to get a job through personal connections. But Monster and Dice are so 1999. Craigslist is where the real action is.

    Hint to other employers out there: I've found that the quality of candidates who respond to postings is directly proportional to the quality of the ad that you post. Put some thought into what you write. (Note: The same holds true for Slashdot.)

    --


    I would have to say that explosives are the most abused technology in all of history.
  8. Copied, not stolen by Meneth · · Score: 4, Funny

    Seriously, if even Slashdot can't use the word properly, how can we ever expect the MAFIAA to learn?

  9. Best headline ever by FrostedWheat · · Score: 5, Funny

    This story has the best headline I've seen on the BBC in a long time:

    Monster attack steals user data

    Ruh-roh! Someone call the Scooby Gang!

  10. Blame the data security officers & project mgr by JonTurner · · Score: 4, Interesting

    Upon reflection, I agree with you. It's not the admin's fault -- once it was in the admin's domain, it was already too late. IMO, This breech happened due to a design shortcoming, not a programming error. Let me explain: Any serious company with an internet presence should be asking "When a loss of an external user account/password occurs, what's the maximum damage that can occur? What can we do to minimize the impact?" Frankly, there is no reason at all that one user account (or even dozens) should be able to download 1.6 MILLION (!!) resumes. That's an incredible number!

    I'm shocked to think Monster doesn't have a limit on the # of resumes an account is able to d/l per some time period. (week/month/quarter). I don't know what that number is, but I'm thinking closer to "100" than "1.6 million". And didn't they run some cumulative activity reports once in a while to learn which accounts are the most active? And to what IP's the requests are being served? At the least, you'll know who your biggest customers are (or at least the ones who are taxing your servers) and where the data is going. At best, you'll spot problems like this breech as it is happening at stop it.

    So if someone must be sacrificed, line up the data security officers and a project manager or two. It's their job to be asking these questions and ensure they are compliant.

    Then again, hindsight is 20/20. Maybe the best thing that occurs from all this is we, on the sidelines, learn from their mistakes.

  11. Re:"US recruitment site"?? by IBBoard · · Score: 4, Informative

    ...you have an un-American bias

    We'll stop calling websites for the USA "US Websites" when you stop butchering our language. The word you were looking for is "anti-American" ;) "un-" means "not", "anti" means "against", you meant "bias against America" not "bias that's not American".

    Also, if you check your history then Europe created the public WWW (with the CERN site in France/Switzerland) and it was a Brit, Tim Berners-Lee, who first developed HTML and worked on the original HTTP specification (Wikipedia references).
  12. Re:Porn by clickclickdrone · · Score: 4, Funny

    I know this will get modded down but...
    >thousands of minutes of erotic movies
    TIP: say hundreds of *hours*. Saying minutes really implies your target audience don't umm, last very long IYSWIM. Not good marketing to insult them up front.

    --
    I want a list of atrocities done in your name - Recoil
  13. Re:"US recruitment site"?? by Bloke+down+the+pub · · Score: 5, Funny

    Nobody speaks the English which was spoken when America was colonized.
    Sir, you are quite mistaken, and if you persist in perpetuating these fallacious fripperies I shall be honour bound to demand that you perambulate into my vicinity and repeat them, on pain of fisticuffs. Good day!
    --
    It's true I tell you, feller at work's next door neighbour read it in the paper.
  14. And Monster's publicity team says... by shadowspar · · Score: 4, Interesting

    Nothing. Absolutely nothing.

    The story's all over the media and the internet, Symantec has a blog post and a virus writeup, and what's on the front page of Monster? Not a damn thing. No "your personal info may have been stolen", "hey, yeah, that data breach thing, we're looking into it", no acknowledgement of any kind. Their press page contains bulletins about the Monster Employment Index and their top ten workplace etiquette tips. Looks like we're going to see another good example of how not to handle negative press related to a security issue.

    --

    There is a spellbook here; eat it? [ynq]

  15. Re:Blame the data security officers & project by ari+wins · · Score: 4, Funny

    Maybe the best thing that occurs from all this is we, on the sidelines, learn from their mistakes.

    I'd love to, but then I'd actually have to RTFA, and I don't have time today. I have to get a copy of my birth certificate and a visa, so I can help out my new Nigerian friend with a lucrative situation.

    --
    Don't worry if you're a kleptomaniac, you can always take something for it.