Monster.com Malware Tags Another Site

bl8n8r writes "The first wave of problems for Monster.com came in the form of malware as recruiters cluelessly pointed trojaned Windows systems into Monster's database. The incident reportedly gleaned more than 1.6 million records from the job search site's database. The second incident followed two days later in the form of an infected Monster.com server pharming out malware by way of advertisements hosted on its websites. The latest incident now shows jobseekers using USAJobs are also at risk from the pharmed Monster trojan. The worst part is Monster.com seems to shrug it off with: 'As is the case with many companies that maintain large databases of information, Monster is from time to time subject to illegal attempts to extract information from its database. Despite ongoing analysis, the scope of this illegal activity is impossible to pinpoint.'"

NEVER use Windows as a server OS.

If there's one thing we've been shown over and over and over and over and over and over again, it's that Windows is just not a suitable OS to use in a server environment.

The main problem is, as illustrated here, an insufficient level of security and quality. This isn't just a problem with the Windows itself. This is a problem with the other Microsoft products that are commonly used on Windows, including IIS and SQL Server. They're far too easily compromised, and fixes never come rapidly enough.

When high-quality products like Linux, Apache and PostgreSQL are available for free, there's really no reason to be using anything from Microsoft in a server environment. Hell, there are many reputable companies offering very affordable, and worthwhile, support for those products. And when the rare security issue does arise, a patch is usually available within the same day, if not within an hour or less.

Maybe someday IT managers and executives will realize that Windows is clearly not the optimal way to go. There are alternatives, and they are far better when it comes to security, quality, reliability, efficiency, and most importantly, cost.

Re:NEVER use Windows as a server OS.

Don't forget Solaris! And for a really secure network, you can always use OpenBSD. Thanks to their strenuous security audits, the OpenBSD developers have put out a product that is rock-solid, and nearly impenetrable.

Like their homepage states, "Only two remote holes in the default install, in more than 10 years!" That's a pretty remarkable achievement, when you consider that OpenBSD is a full-blown UNIX-like system, including a very capable, multiplatform kernel, a wide array of libraries, a great number of commands, as well as security-screened ports of software from other projects. When you have only two remote holes in a decade of development in millions of lines of C code, you know you're doing something right.

Re:NEVER use Windows as a server OS.

No, I'd wager that your systems are compromised. You just aren't aware of how often your data has been stolen, and how often your machines have been used to send out spam, because you're using inferior systems.

Here, I'll pinpoint the scope for them:

[Ant+P.]

SELECT * FROM customers;
I'm curious to know how they could screw up a simple thing like database security to the point where some windows laptop on their network can just connect and do the above.

Re:Here, I'll pinpoint the scope for them:

[Valar]

Except that that is exactly NOT how the trojan works. I won't comment on the malware via ads issue, because I'm not familiar with the details (something you should try).

Here's how the trojan actually works.

A monster.com affiliated recruiter is someone who pays monster.com to have access to the section of the site where they can search the database of resumes and profiles with some fairly powerful search tools, and find candidates that might be qualified for open positions at their company. This trojan finds one of these people's computers and infects it. It sniffs out account and password information, which it then uses to log into the recruiting site. The trojan then makes a very broad search-- one that should make available all of the resume information. It then aggregates all of this information and uploads it to an external server, where presumably badies will parse it, and attempt to either make a spam mailing list probably.

The thing is, this information is all basically PUBLIC information. I mean, yes, it is supposed to be public only to companies that pay monster.com to show it to them, but it is your resume for goodness' sake. You know, that document that you send all over creation, hoping people will read it? Yeah.

So basically, I think the people whose accounts were comprised will noticed a slight increase in their spam traffic from having their email address crawled yet one more time.

Re:Here, I'll pinpoint the scope for them:

[ErroneousBee]

I'm curious to know how they could screw up a simple thing like database security to the point where some windows laptop on their network can just connect and do the above.

Look at the response headers from those two websites. The site is setup by the usual MCSEs who showed management a pretty webpage without actually having anything robust underneath.

Re:Here, I'll pinpoint the scope for them:

[BlakLanner]

Slight? It is rather noticeable. The email address I used to use for my job search has been virtually spam-free for 4 years. Since the breach, I have been getting flooded with spam from the scammers trying to get you to "handle their e-commerce transactions". It has been rather annoying to say the least.

Re:Here, I'll pinpoint the scope for them:

[LBt1st]

I've gotten fake e-mail from "monster.com" offering me a job. Only the job is a work at home deal and requires me to have a Bank of America account. If I don't have one, I'm suppose sign up for one at their website.
An obvious phishing scam, but how many of these things are going out to people who wouldn't know.. who are desperate for a job?

I've since removed my account.. well I actually couldn't find an option on their site to delete it, so I resorted to clearing all my info.
monster.com is now in my e-mail's black list.

Re:Here, I'll pinpoint the scope for them:

[dbc001]

Monster.com sends spam anyway. I used to use an email forwarder for my monster account (now deleted). I got several emails from shady recruiters, asking me if I was interested in working as a bank teller or insurance salesman - even though my monster info clearly indicated my interest in working as a web designer.

They're not shrugging it off

[rastoboy29]

It's called desperation.  Or whistling in the dark. 

Re:They're not shrugging it off

[Harmonious+Botch]

They're actually trying to fix it. But the problem is that they can't find the right people. Seems that everyone they try to hire thinks they are id thieves and hangs up on them.

Trollish submitter

[packetmon]

The worst part is Monster.com seems to shrug it off with: 'As is the case with many companies that maintain large databases of information Funny how they shrugged it off:

Earlier this month, Monster discovered [a] a malicious code that attempted to harvest stolen email addresses from its database and transfer them to a server in Ukraine. The hackers then sent out phishing emails that claimed to be prospective employers offering a work-from-home job that asked for access to the user's bank account. Monster responded by notifying these job seekers that their contact records had been downloaded illegally and is now working with law enforcement officials and the appropriate regulatory agencies [b]. Monster also revealed that this incident was not the first time the company's database had been the target of criminal activity.

The company says that to boost its security measures it is implementing new robust capabilities for worldwide monitoring and surveillance of site traffic, reviewing and tightening all site access policies and controls and launching a series of targeted initiatives to protect job seeker contact information.

Source

[a] Monster discovered: Did you note that Monster themselves noticed the infiltration. Wasn't posted to a full disclosure list which means they caught it on their own for a change. Give them that credit

[b] Monster initiated contacting those affected and working with LEA's. This didn't come to light in the same fashion as say with what happened at LinkedIn. Linkedin spurns bug bounty hunter. So why post such a trollish statement as "monster shrugged it off". There should be a mechanism to moderate those who post articles.

Re:Trollish submitter

[Ant+P.]

There should be a mechanism to moderate those who post articles. Don't want to go offtopic too much but there is the firehose and the /. staff these things have to get through first. It's not a good system (I don't know of any that are), but it's there.

Re:Trollish submitter

[packetmon]

If there is one thing I've learned in my 9 years here @ /. (original nicks are joq/xprnstar and sil) is that, Slashdot is very influential believe it or not in the industry. Instances like this paint a not so pretty picture unfairly at companies, industries and technologies. Comments, fine we can deal with those, but there are those - and I don't know for the life of me know why - who takes sites such as /., Ars and others as the hammer of god. If I came in from the outside not knowing the true issue/story with what happened @ Monster, I would look at this article's quick summary and probably want to condemn Monster.com to kingdom come. Oh well rant over.

Re:Trollish submitter

[cyclone96]

Beyond everything that you nicely outline, when it comes to the USAJobs site they won't be able to "shrug it off" because of the connection to the government.

USAJobs was built under federal contract, and the government was slowly moving to requiring every federal position be applied for through USAJobs. That includes internal promotions, executives, new-hires...basically everyone who is not elected or an appointee. A lot of fairly high ranking career civil servants are in that database.

I'm guessing the government is going to be very harsh on this, as they typically are when a contractor screws up IT security.

BTW, most federal employees and managers hate USAJobs, since you are not allowed to interview anyone unless the computer ranks them highly when it runs it's resume search algorithm. I can't interview someone unless the computer spits it out. Potential hires (and internal promotions) have to figure out how to "fake out" the search algorithm so their resume gets through. I'd love to see it go away.

Re:Trollish submitter

I'm guessing the government is going to be very harsh on this, as they typically are when a contractor screws up IT security.

More likely, the government will determine that Monster had every Windows patch installed (i.e., they were following published best practices) and let it slide. The parts of the government I'm familiar with don't know anything but Windows.

Re:Trollish submitter

I for one was NOT comforted when I received an email from USAJobs saying that my SS# was safe. I'm a recent MPA grad and it's required on the site and in submissions + transfers to agency sites as far as I can tell. What disturbed me was the wording of their security notice, it implies that USAJobs is actually sending/providing my full information to an outside contractor.

That this includes my SS# going from a .gov to a .com is really a case of gov't being lazy about integration imho.

More importantly, I'm really pretty pissed that they aren't clear about what was leaked -- my contact information was not supposed to be visible, but it's implied that it was available to marketers/recruiters anyway. The Fed really should be much more careful about giving away personal information...that database with contact information for new and internal recruits is worth an insane amount of money.

As to the hiring process...I've given up. My MPA seems useless for finding employment with the federal government, most positions at GS-7/9 advertise as allowing qualification based on education, but i've never been forwarded for an interview--despite honor society membership and a background in software. And in one case the hiring agency forgot to say they needed transcripts, didn't forward me for consideration, and didn't bother to notify me they had screwed up after I emailed them--they just updated their other (non-closed) postings with the new information that transcripts were required. Then there's the VA that posts requests to slide applications under the door for FCIP positions or deliver them by hand because the postal service isnt reliable.

Classy, unprofessional, and totally indicative of major failure when the retirement wave hits.

It seems that...

...they have a real monster on their hands.

pee in the pool

[Original+Replica]

Information on the internet with disseminate. Everyone here who cries "information wants to be free" when the topic of the RIAA comes up needs to recognize that the same goes with your information when it gets on the internet. "Online" and "secure information" are oil and water.

Re:pee in the pool

[Loconut1389]

There's a difference between computerized records and online. I'd argue that with the right encryption and access protocols and safeguards, computerized records are more secure than a locked filing cabinet. Even online records can be secured if designers are paranoid and careful. The problem is when things aren't done with security in mind, or cutting corners to save money or time- or "wouldn't it be easier if everyone just had the root password" type thinking. You information doesn't necessarily want to be free, but the default state of most secured objects is fail-safe/fail-open. They make fail-secure doors, but they cost money, and someone with the right credentials (either legitimately obtained and used out of deception, or stolen) can always get in. These sites just need better safeguards and/or programmers and possibly better employee screening.

Re:pee in the pool

[Original+Replica]

I agree that there is a big difference between computerized records and online, the catch is that to not be online you have to physically unplug your storage from the internet. No off-site access, authorized or not. In the case of Monster.com, accessibility to information was what they were all about. Sure, they wanted to only allow access to paying/legit customers but the exact same could be said of most music licensing software. The same skills and sub-culture that have people unlocking the iPhone and poking holes in the Great Firewall of China is going to make remotely accessible databases only casually secure.

Re:pee in the pool

Isn't part of the anti-RIAA argument that downloading music helps advertise and increases sales? You'd think with something like a resume, in which the sole purpose is to be seen by people in the hopes that they'll give you money, there would be little reason to be upset about its dissemination.

See?

[Renraku]

This is the shit we have to deal with. This is why even if you go only to trusted websites, you need to be careful. Use an alternative browser (that's not IE) or OS. Don't open email attachments, install toolbars, or anything that you haven't checked to make sure is ok.

All it takes is one 'yes' to have your computer pulled out from under you and put to work by some bastard that's probably not even in the business anymore.

http://www.goatse.cx

Mod me down. I am here to waste a modpoint.

Re:http://www.goatse.cx

Mod parent down!
I'd do it, but I have no modpoints.

We need to call those fools out.

Those of us who know the dangers of Microsoft technology need to really start calling those people out. And I don't mean online. I mean in person, in the meetings where they're proposing their Microsoft-based "solutions".

I've seen this happen in meetings before. During one such meeting, one DBA suggested the use of SQL Server 2005 for a new project. And immediately, two Oracle DBs tore him a new asshole. They listed the numerous security issues that SQL Server has been plagued with. They listed a variety of technical problems with SQL Server. They basically told him that they would not stand for that kind of, as one of the Oracle DBAs put it, "raccoon shit" on their network.

Re:We need to call those fools out.

During one such meeting, one DBA suggested the use of SQL Server 2005 for a new project. And immediately, two Oracle DBs tore him a new asshole. They listed the numerous security issues that SQL Server has been plagued with. They listed a variety of technical problems with SQL Server. Such as?

Re:We need to call those fools out.

[Shados]

Wow, Oracle DBAs being against SQL Server? Who would have thought!

Re:We need to call those fools out.

[Jeruvy]

Complete BS. Oracle is the KING of SECURITY HOLES.

Text of the email Monster sent out

Below is an email Monster sent out to account holders. I was expecting a sincere apology with perhaps an offer for free credit monitoring. Instead, when they have a security issue, they invite their users to be more savvy about the internet.

Note their directions on "HOW TO BE A SAFE INTERNET USER". If perhaps they had taken their own advice, maybe we wouldn't be in this situation?

--

Dear Valued Monster Customer,

Protecting the job seekers who use our website is a top priority, and we value the trust you place in Monster. Regrettably, opportunistic criminals are increasingly using the Internet for illegitimate purposes. As is the case with many companies that maintain large databases of information, Monster is from time to time subject to attempts to illegally extract information from its database.

As you may be aware, the Monster resume database was recently the target of malicious activity that involved the illegal downloading of information such as names, addresses, phone numbers, and email addresses for some of our job seekers with resumes posted on Monster sites. Monster responded to this specific incident by conducting a comprehensive review of internal processes and procedures, notified those job seekers that their contact records had been downloaded illegally, and shut down a rogue server that was hosting these records.

The Company has determined that this incident is not the first time Monster's database has been the target of criminal activity. Due to the significant amount of uncertainty in determining which individual job seekers may have been impacted, Monster felt that it was in your best interest to take the precautionary steps of reaching out to you and all Monster job seekers regarding this issue. Monster believes illegally downloaded contact information may be used to lure job seekers into opening a "phishing" email that attempts to acquire financial information or lure job seekers into fraudulent financial transactions. This has been the case in similar attacks on other websites.

We want to inform you about preventive measures you can take to protect yourself from online fraud. While no company can completely prevent unauthorized access to data, we believe that by reaching out to job seekers like you, the Company can help users better defend themselves against those who have attacked Monster as well as other databases.

We are committed to maintaining an ongoing dialogue with all of our job seekers about Internet security and the steps Monster is taking to protect its job seekers. The Company has placed a security alert on Monster sites offering information to educate you about online fraud. This information can be found at http://help.monster.com/besafe/. We have also included information on Internet safety and examples of fraudulent "phishing" emails at the bottom of this letter.

Monster has launched a series of initiatives to enhance and to protect the information you have entrusted to us. Some of these steps are being immediately implemented, while others will be put into place as appropriate.

We believe these actions are the responsible steps to protect the trust you place in Monster. We are also working with Monster's hundreds of thousands of employer customers to ensure a safe and effective online job search. We will continue to share information with you about the enhancements we are making as we serve as your online career resource partner. We invite you to keep reading to learn more about how to use the Internet safely.

Sincerely,

Signature
Sal Iannuzzi

Chairman and CEO

Monster Worldwide

HOW TO BE A SAFE INTERNET USER

Every Internet site in the world is facing the growing issue of fraudulent usage of information, and we want to work with users around the world to stop this practice - please keep reading to

Re:Text of the email Monster sent out

[Craig+Maloney]

I used this opportunity to cancel my Monster account. It wasn't doing anything for me anyway, but I figured that if enough people did it, they might take it seriously. You can read my account closure experience here. To say they shrugged this off as a small breach is an understatement. They didn't do anything real until the problem had escalated out of hand. If you feel as I do that Monster didn't act appropriately, I encourage you to also cancel your account. Maybe then they'll realize what their mistake was in handling this situation.

pass the buck

[spyrochaete]

Monster really did shrug off this attack. They haven't responded to my email about whether my data was comprimised. All I got was an email saying that their databases had been breeched, followed by instructions on how *I* should surf the web safely. One of their recommendations was to contact companies by telephone instead of the web.

Re:pass the buck

[zairgit]

They sent me paper mail.

MOD AC DOWN: IIS and SQL Server are secure.

[sid0]

IIS: http://secunia.com/product/1438/
SQL Server: http://secunia.com/product/6782/

IIS 6 and SQL Server 2005 have never ever EVER been compromised -- both vulnerabilities in IIS were not publicly disclosed. So, AC, like, STFU.

Re:MOD AC DOWN: IIS and SQL Server are secure.

[Arterion]

I don't know if it's true or not, but someone should reply with the facts if it's not. If it is true, I, too, wonder why he's modded troll. I was under the impression that IIS 6 and SQL Server 2005 were pretty good on the security front. Of course, the admin running them both has a lot to do with it. If you told me Windows admins are less apt to get security right, I'd believe you. But that doesn't mean the products themselves, when configured properly, are necessarily insecure.

Re:MOD AC DOWN: IIS and SQL Server are secure.

This is a bit of a weird security report site. Notice the following:

http://secunia.com/product/15552/

Apparently my favorite OS has NO security flaws. This would be pretty cool if it were true. It would make those security patches I get every day completely un necessary!

I think such a sweeping claim: " IIS 6 and SQL Server 2005 have never ever EVER been compromised " should not be made on the basis of a single source of evidence!

Re:MOD AC DOWN: IIS and SQL Server are secure.

[sid0]

The security updates you get every day are probably for the applications you have.

In any case, please do go ahead and point me to a public SQL Server 2005/IIS6 vulnerability.

but was it an accident?

[clarkn0va]

I have a friend who once worked for monster.ca and he explained in plain terms that it was little more than a front for harvesting their users' personal information for their own purposes.

It wouldn't shock me in the least to discover that monster played an active part in this shenanigan.

db

say what ???

[Lord+Balto]

So they are telling you NOT to use their service but to use the telephone instead? Am I missing something here? What exactly is their business model anyhow?

Eat scrotum...

And die!

There, that should do it.

Say good-bye to Monster Dot Com

[Oshkoshjohn]

The very first time I read this, I used my username and password to access my account on Monster, only to discover a different person's name and data. I did the right thing, and changed the data in some of the fields to nonsense, and removed data in other fields. I have not been back.

big deal

[delong]

Oh gee, the h4x0rs got my resume. What are they gonna do? SPREAD IT AROUND?

Thank you Federal Government

For requiring me to submit my social security number, DOB, etc for all federal job postings. AND USING A NON-SECURE CONTRACTOR to manage the information.

Morons.

And sure they sent me an email saying that their SS#s were stored safely, but like I have any reason whatsoever to believe that--especially since USAJobs forwards the information to multiple sub-agency sites.

Ah, fun with Windows!

[WheelDweller]

A lot of people think Bill Gates is a computer genius, but he's actually a marketting genius. These people are going to pick up the pieces of their shattered OS, flush-n-fill, and start over. Some people just don' learn!

If we had, say, cars that had to have $5000 of repair done every month, we'd be good friends with several lawyers. Microsoft does nothing about viruses for two decades and such calamity is considered a 'way of life'. ...and people wonder why I'm such a hardcore Linux fan. Sheesh.

Guess I need to take my SSN out of my Resume

[mcnut]

I suppose it was a bad idea to include my mother's maiden name, first pets name, original hometown, SSN, major banking and credit card numbers complete with routing and Security numbers in my resume. Who knew?

I for one...

I for one, would welcome employment by the 1337 h4x0rs! (..if they paid me well and i was outside legal jurisdiction)