Slashdot Log In
Monster.com Attacked, User Data Stolen
Posted by
Zonk
on Wed Aug 22, 2007 12:35 AM
from the rarr-snarl dept.
from the rarr-snarl dept.
Placid writes "The BBC has an article detailing a successful attack on the US recruitment site, Monster.com. According to the article, 'A computer program was used to access the employers' section of the website using stolen log-in credentials' and that the stolen details were 'uploaded to a remote web server'. Apparently, this remote server 'held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website'. The article also links the break-in to a phishing e-mail sent out recently where personal details were used to entice users to download a 'Monster Job Seeker Tool.'"
Related Stories
[+]
Monster.com Malware Tags Another Site 50 comments
bl8n8r writes "The first wave of problems for Monster.com came in the form of malware as recruiters cluelessly pointed trojaned Windows systems into Monster's database. The incident reportedly gleaned more than 1.6 million records from the job search site's database. The second incident followed two days later in the form of an infected Monster.com server pharming out malware by way of advertisements hosted on its websites. The latest incident now shows jobseekers using USAJobs are also at risk from the pharmed Monster trojan. The worst part is Monster.com seems to shrug it off with: 'As is the case with many companies that maintain large databases of information, Monster is from time to time subject to illegal attempts to extract information from its database. Despite ongoing analysis, the scope of this illegal activity is impossible to pinpoint.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Monster attack steals user data (Score:5, Insightful)
Re:Monster attack steals user data (Score:5, Insightful)
Parent
Phishing Attack (Score:4, Funny)
Re:Phishing Attack (Score:5, Funny)
Parent
Re:Phishing Attack (Score:5, Insightful)
remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.
Parent
Re:Phishing Attack (Score:4, Funny)
remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.
Parent
Re:Phishing Attack (Score:5, Insightful)
Monster.com was broken in for spearphishing, not for sending bulk emails regarding "Bank of America". Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.
Recruitment agencies are actually a prime target for such attacks:
1. Nearly all of them (even the specialised unix oriented ones) require all CVs in Microshit Word so pushing a custom Trojan is trivial.
2. Nearly all of them systematically violate the Data Protection act and other similar statutes which require them to remove customer data from their databases when no longer needed. So far in the UK only 3% of the ones I have asked to remove my details have complied with the request. Amidst the most vile violators are the two biggest MOD oriented agencies and more than 50% of the top 20 (by job posting numbers).
3. In addition to that apparently at least one UK (and international) jobboard also does not remove customer data even if you delete your accounts from there. As a result the agencies are re-fed your details on a regular basis.
4. The agencies possess enough data for a perfect spearphish: date of birth, nationality, postal address, occupation, prior job history, current and past salaries as well as further background. In some cases where they have been subcontracted to do HR they possess even more data like NSNs/SSNs, credit ratings and the like.
Frankly this is an industry that is in desperate need to be smacked with some vile regulation compared to which SOX and the recent health IT regs in the US are a child's play. They need to be straightened out and made to follow the laws of the land with regard to customer privacy. At the moment they are systematically ignoring them and in many cases they possess more of your personal information than your bank.
So let's hope that the Monster case will cause some moves towards that.
Parent
Hehe (Score:5, Funny)
Symantec has a very detailed explanation of it (Score:5, Informative)
The trojan (Called Infostealer.Monstres) seems to be using HR login details (possibly stolen) to access hiring.monster.com and recruiter.monster.com sub-domains and download candidate information. It also seems to be similar to a previously known trojan called Trojan.Gpcoder.E [slashdot.org]
Symantec estimates that 1.6 million people (mostly from USA) have been impacted.
They have informed Monster about it
hmmm (Score:4, Insightful)
cue sound: (Score:5, Funny)
They got me! (Score:4, Funny)
Copied, not stolen (Score:4, Funny)
Best headline ever (Score:5, Funny)
This story has the best headline I've seen on the BBC in a long time:
Ruh-roh! Someone call the Scooby Gang!
And Monster's publicity team says... (Score:5, Interesting)
Nothing. Absolutely nothing.
The story's all over the media and the internet, Symantec has a blog post [symantec.com] and a virus writeup [symantec.com], and what's on the front page of Monster? Not a damn thing. No "your personal info may have been stolen", "hey, yeah, that data breach thing, we're looking into it", no acknowledgement of any kind. Their press page [monsterworldwide.com] contains bulletins about the Monster Employment Index and their top ten workplace etiquette tips. Looks like we're going to see another good example of how not to handle negative press related to a security issue.
Tomorrow's Ad today (Score:5, Funny)
New sysadmin. Must have experience in data security. Submit resume to adminjob@monster.com
Parent
Re:Tomorrow's Ad today (Score:4, Funny)
Parent
Re:Tomorrow's Ad today (Score:5, Funny)
Parent
Re:Tomorrow's Ad today (Score:5, Interesting)
Parent
Blame the data security officers & project mgr (Score:5, Interesting)
I'm shocked to think Monster doesn't have a limit on the # of resumes an account is able to d/l per some time period. (week/month/quarter). I don't know what that number is, but I'm thinking closer to "100" than "1.6 million". And didn't they run some cumulative activity reports once in a while to learn which accounts are the most active? And to what IP's the requests are being served? At the least, you'll know who your biggest customers are (or at least the ones who are taxing your servers) and where the data is going. At best, you'll spot problems like this breech as it is happening at stop it.
So if someone must be sacrificed, line up the data security officers and a project manager or two. It's their job to be asking these questions and ensure they are compliant.
Then again, hindsight is 20/20. Maybe the best thing that occurs from all this is we, on the sidelines, learn from their mistakes.
Parent
Re:Monster doesn't help anyway--why use it? (Score:5, Interesting)
Craigslist all the way. I am operations manager for a small IT firm and we've hired our last ten people from Craigslist. The response rate is fantastic. In most major markets, posting an ad is still free (for now). I keep getting calls from a rep. at Monster every three to six months asking me to pay $300-$400 PER LISTING at Monster. I let them know that I am perfectly happy with the quality, quantity and cost of Craigslist. There's a long pause and then they say maybe they'll give me a call in three to six months to check up on me. It's a little silly and arrogant to think that everyone will be able to get a job through personal connections. But Monster and Dice are so 1999. Craigslist is where the real action is.
Hint to other employers out there: I've found that the quality of candidates who respond to postings is directly proportional to the quality of the ad that you post. Put some thought into what you write. (Note: The same holds true for Slashdot.)
Parent
Re:Monster doesn't help anyway--why use it? (Score:4, Funny)
Craigslist...right.... Lots of ads, like the following:
WEB DEVELOPER needed for growing company, must be prorficient [sic] in PHP, ASP, ASP.NET, C++, Java and XHTML. Students welcome. $10 hr.
Oh, and here's a title from an actual ad now running (you can't make this stuff up):
Big Dog Web Developers Needed for a Big Back End
I don't even want to know.
Parent
Re:"US recruitment site"?? (Score:4, Informative)
We'll stop calling websites for the USA "US Websites" when you stop butchering our language. The word you were looking for is "anti-American"
Also, if you check your history then Europe created the public WWW (with the CERN site in France/Switzerland) and it was a Brit, Tim Berners-Lee, who first developed HTML and worked on the original HTTP specification (Wikipedia references [wikipedia.org]).
Parent
Re:"US recruitment site"?? (Score:5, Funny)
Parent
Re:Porn (Score:5, Funny)
>thousands of minutes of erotic movies
TIP: say hundreds of *hours*. Saying minutes really implies your target audience don't umm, last very long IYSWIM. Not good marketing to insult them up front.
Parent