Monster.com Malware Tags Another Site

bl8n8r writes "The first wave of problems for Monster.com came in the form of malware as recruiters cluelessly pointed trojaned Windows systems into Monster's database. The incident reportedly gleaned more than 1.6 million records from the job search site's database. The second incident followed two days later in the form of an infected Monster.com server pharming out malware by way of advertisements hosted on its websites. The latest incident now shows jobseekers using USAJobs are also at risk from the pharmed Monster trojan. The worst part is Monster.com seems to shrug it off with: 'As is the case with many companies that maintain large databases of information, Monster is from time to time subject to illegal attempts to extract information from its database. Despite ongoing analysis, the scope of this illegal activity is impossible to pinpoint.'"

Re:NEVER use Windows as a server OS.

Don't forget Solaris! And for a really secure network, you can always use OpenBSD. Thanks to their strenuous security audits, the OpenBSD developers have put out a product that is rock-solid, and nearly impenetrable.

Like their homepage states, "Only two remote holes in the default install, in more than 10 years!" That's a pretty remarkable achievement, when you consider that OpenBSD is a full-blown UNIX-like system, including a very capable, multiplatform kernel, a wide array of libraries, a great number of commands, as well as security-screened ports of software from other projects. When you have only two remote holes in a decade of development in millions of lines of C code, you know you're doing something right.

Re:Here, I'll pinpoint the scope for them:

[Valar]

Except that that is exactly NOT how the trojan works. I won't comment on the malware via ads issue, because I'm not familiar with the details (something you should try).

Here's how the trojan actually works.

A monster.com affiliated recruiter is someone who pays monster.com to have access to the section of the site where they can search the database of resumes and profiles with some fairly powerful search tools, and find candidates that might be qualified for open positions at their company. This trojan finds one of these people's computers and infects it. It sniffs out account and password information, which it then uses to log into the recruiting site. The trojan then makes a very broad search-- one that should make available all of the resume information. It then aggregates all of this information and uploads it to an external server, where presumably badies will parse it, and attempt to either make a spam mailing list probably.

The thing is, this information is all basically PUBLIC information. I mean, yes, it is supposed to be public only to companies that pay monster.com to show it to them, but it is your resume for goodness' sake. You know, that document that you send all over creation, hoping people will read it? Yeah.

So basically, I think the people whose accounts were comprised will noticed a slight increase in their spam traffic from having their email address crawled yet one more time.

Re:Trollish submitter

[cyclone96]

Beyond everything that you nicely outline, when it comes to the USAJobs site they won't be able to "shrug it off" because of the connection to the government.

USAJobs was built under federal contract, and the government was slowly moving to requiring every federal position be applied for through USAJobs. That includes internal promotions, executives, new-hires...basically everyone who is not elected or an appointee. A lot of fairly high ranking career civil servants are in that database.

I'm guessing the government is going to be very harsh on this, as they typically are when a contractor screws up IT security.

BTW, most federal employees and managers hate USAJobs, since you are not allowed to interview anyone unless the computer ranks them highly when it runs it's resume search algorithm. I can't interview someone unless the computer spits it out. Potential hires (and internal promotions) have to figure out how to "fake out" the search algorithm so their resume gets through. I'd love to see it go away.

Re:Trollish submitter

I for one was NOT comforted when I received an email from USAJobs saying that my SS# was safe. I'm a recent MPA grad and it's required on the site and in submissions + transfers to agency sites as far as I can tell. What disturbed me was the wording of their security notice, it implies that USAJobs is actually sending/providing my full information to an outside contractor.

That this includes my SS# going from a .gov to a .com is really a case of gov't being lazy about integration imho.

More importantly, I'm really pretty pissed that they aren't clear about what was leaked -- my contact information was not supposed to be visible, but it's implied that it was available to marketers/recruiters anyway. The Fed really should be much more careful about giving away personal information...that database with contact information for new and internal recruits is worth an insane amount of money.

As to the hiring process...I've given up. My MPA seems useless for finding employment with the federal government, most positions at GS-7/9 advertise as allowing qualification based on education, but i've never been forwarded for an interview--despite honor society membership and a background in software. And in one case the hiring agency forgot to say they needed transcripts, didn't forward me for consideration, and didn't bother to notify me they had screwed up after I emailed them--they just updated their other (non-closed) postings with the new information that transcripts were required. Then there's the VA that posts requests to slide applications under the door for FCIP positions or deliver them by hand because the postal service isnt reliable.

Classy, unprofessional, and totally indicative of major failure when the retirement wave hits.