The Mess

The last thing you need when you're unemployed is a bank account that's suddenly emptied. But that's exactly what some unwary users of employment search site faced after identity thieves made off with the personal information of more than a million people looking for jobs.

How It Started

This still-developing story has enough nooks and crannies to confuse a gumshoe, but some facts are clear: Monster's resume database was looted, and the personal information taken was used to forge convincing messages that deposited password-stealing Trojans and ransomware on users' PCs.

Calculated and ambitious, the attack is striking for how it blended several elements--stolen credentials of legitimate users, phishing e-mails, Trojan horses, money mules and more--into a slick assault.

What We Know So Far

Was hacked? No, as Symantec said immediately. Instead, the attackers accessed the resume database with legitimate usernames and passwords, probably stolen from professional recruiters and human resource personnel who use the "Monster for employers" section of the site to look for job candidates. But it wasn't until Thursday that admitted as much. "By gaining unauthorized access to employer accounts, the software was obtaining job seeker contact information," a new alert said.

What was snatched from the database? Names, e-mail addresses, mailing addresses, phone numbers and resume IDs, said Symantec. Yesterday, added that only about 5,000 of the people whose data was filched live outside the U.S. That squares with what Symantec's Amado Hidalgo said in an e-mail: The information-stealing Trojan was hard-coded to dig through only the "" and "" domains, limiting their theft to the Monster USA site's database. "They only targeted the U.S. Monster site and not any other international Monster [Worldwide] Inc. sites, such as those in the U.K., Spain, etc.," said Hidalgo.


Subscribe to the Best of PCWorld Newsletter