Recruitment website, Monster.com has suffered a massive security breach, leaving thousands of users' personal details exposed.
The breach was reported yesterday, as a new trojan called Infostealer.Monstres was detected while uploading data from a remote server of the recruiter.
Symantec, who analysed a sample of the trojan said that when it investigated the breach the remote server held over 1.6 million entries with personal information belonging to several hundred thousand people mostly based in the US, who had posted their CVs on the site.
The security vendor said: "We were very surprised that this low profile trojan could have attacked so many people."
Upon investigation, Symantec said the trojan had gained access to the server through subdomain connections. These subdomains belong to the "Monster for employers" only site, the section used by recruiters and human resources personnel to search for potential candidates, post jobs to Monster and other related activities. This site requires recruiters to log in to view information on candidates.
Upon further investigation, it said the trojan appears to be using credentials of a number of recruiters to login to the site and perform searches for resumes of candidates located in certain countries or working in certain fields.
The trojan sends HTTP commands to the Monster.com website to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter's saved searches.
The personal details of those candidates, such as name, surname, email address, country, home address, phone numbers and resume ID, are then uploaded to a remote server under the control of the attackers.
Such a large database of highly personal information is a spammer's dream. In fact, we found the trojan can be instructed to send spam email using a mail template downloadable from the command & control server.
The main file used by Infostealer.Monstres, ntos.exe, is also commonly used by trojan.Gpcoder.E, and both also have a similar icon for the executable file that reproduces the Monster.com company logo.
It also said that the trojan.Gpcoder.E has reportedly been spammed in Monster.com phishing emails. These emails were very realistic, containing personal information of the victims. They requested that the recipient download a Monster Job Seeker Tool, which in fact was a copy of trojan.Gpcoder.E. This trojan will encrypt files in the affected computer and leaves a text file requesting money to be paid to the attackers in order to decrypt the files. The code for Gpcoder is rather similar to that of Monstres, which may indicate the same hacker group is behind both trojans.
Symantec advised that to protect identity when using recruitment sites, or at least limit exposure to identity theft, users should limit the contact information posted on these sites, use a separate disposable email address and never disclose sensitive details such as passport or driver's licence numbers or bank account information until it has been established they are legitimate.
Other security experts said that it is not only users that should be worried about this breach; companies could also find themselves leaking sensitive information to criminals.
"Putting aside Monster.com's reputation, HR managers everywhere will be using Monster to find their new employees, giving the criminal a backdoor to the business," said Andrew Clarke, senior vice president at patch management company Patchlink.
He said that in order to prevent further breaches, companies need to "turn security on its head".
"Instead of working on our back foot, adopt a positive security model," he said. "By adopting the 'known good' strategy the Monster.com breach would not be able to affect business; the malware used in this case, ntos.exe, would simply be denied access onto a network."
