Monster.com Attacked, User Data Stolen

Placid writes "The BBC has an article detailing a successful attack on the US recruitment site, Monster.com. According to the article, 'A computer program was used to access the employers' section of the website using stolen log-in credentials' and that the stolen details were 'uploaded to a remote web server'. Apparently, this remote server 'held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website'. The article also links the break-in to a phishing e-mail sent out recently where personal details were used to entice users to download a 'Monster Job Seeker Tool.'"

Monster attack steals user data

[Nibbler999]

I like the BBC headline better.

Hehe

[JimboFBX]

Last year, a British nurse was blackmailed by hackers who had used a Trojan to access her personal e-mails. I'll let you guys stew on how ambiguiously funny that sentence is.

Symantec has a very detailed explanation of it

[indraneil]

Symantec's explanation
The trojan (Called Infostealer.Monstres) seems to be using HR login details (possibly stolen) to access hiring.monster.com and recruiter.monster.com sub-domains and download candidate information. It also seems to be similar to a previously known trojan called Trojan.Gpcoder.E
Symantec estimates that 1.6 million people (mostly from USA) have been impacted.
They have informed Monster about it

cue sound:

[doyoulikeworms]

M-M-M-Monster Kill (...kill...kill...kill...kill...)

Re:Monster doesn't help anyway--why use it?

[uptownguy]

Monster and Dice are just meat markets. Relatively few people actually get jobs there

Craigslist all the way. I am operations manager for a small IT firm and we've hired our last ten people from Craigslist. The response rate is fantastic. In most major markets, posting an ad is still free (for now). I keep getting calls from a rep. at Monster every three to six months asking me to pay $300-$400 PER LISTING at Monster. I let them know that I am perfectly happy with the quality, quantity and cost of Craigslist. There's a long pause and then they say maybe they'll give me a call in three to six months to check up on me. It's a little silly and arrogant to think that everyone will be able to get a job through personal connections. But Monster and Dice are so 1999. Craigslist is where the real action is.

Hint to other employers out there: I've found that the quality of candidates who respond to postings is directly proportional to the quality of the ad that you post. Put some thought into what you write. (Note: The same holds true for Slashdot.)

Best headline ever

[FrostedWheat]

This story has the best headline I've seen on the BBC in a long time:

Monster attack steals user data

Ruh-roh! Someone call the Scooby Gang!

Re:Tomorrow's Ad today

[high_rolla]

Yeah, followed by the new marketing campaign: "Nobody else makes it this easy for your details to reach more employers"

Re:Tomorrow's Ad today

[janrinok]

I don't agree. If you RTFA, you will see the the system was penetrated by using valid UIDs and passwords, which had been previously gathered using a phishing attack. Any system is vulnerable to such an attack and you can hardly line all up all sysadmins and have them shot - despite any justification that the odd one might actually deserve it. But I am surprised by the number of techies that fell for the phishing attack in the first instance.

Re:Phishing Attack

[arivanov]

Err... You are missing the point.

Monster.com was broken in for spearphishing, not for sending bulk emails regarding "Bank of America". Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.

Recruitment agencies are actually a prime target for such attacks:

1. Nearly all of them (even the specialised unix oriented ones) require all CVs in Microshit Word so pushing a custom Trojan is trivial.
2. Nearly all of them systematically violate the Data Protection act and other similar statutes which require them to remove customer data from their databases when no longer needed. So far in the UK only 3% of the ones I have asked to remove my details have complied with the request. Amidst the most vile violators are the two biggest MOD oriented agencies and more than 50% of the top 20 (by job posting numbers).
3. In addition to that apparently at least one UK (and international) jobboard also does not remove customer data even if you delete your accounts from there. As a result the agencies are re-fed your details on a regular basis.
4. The agencies possess enough data for a perfect spearphish: date of birth, nationality, postal address, occupation, prior job history, current and past salaries as well as further background. In some cases where they have been subcontracted to do HR they possess even more data like NSNs/SSNs, credit ratings and the like.

Frankly this is an industry that is in desperate need to be smacked with some vile regulation compared to which SOX and the recent health IT regs in the US are a child's play. They need to be straightened out and made to follow the laws of the land with regard to customer privacy. At the moment they are systematically ignoring them and in many cases they possess more of your personal information than your bank.

So let's hope that the Monster case will cause some moves towards that.

Re:"US recruitment site"??

[Bloke+down+the+pub]

Nobody speaks the English which was spoken when America was colonized.

Sir, you are quite mistaken, and if you persist in perpetuating these fallacious fripperies I shall be honour bound to demand that you perambulate into my vicinity and repeat them, on pain of fisticuffs. Good day!