How Was the Information Stolen?
The Infostealer.Monstres Trojan runs batch searches by sending HTTP commands to the Monster Web site to navigate through folders, said Hidalgo. The malware then parses the output that appears in a pop-up window that holds the job seeker profiles that match the search criteria. Essentially, the Trojan worked as an automated search bot that located candidates, captured their contact information and sent it to a remote server controlled by the criminals. Symantec said that the server, though located in Russia, was hosted by a company out of Ukraine.
By using Infostealer.Monstres to do their harvesting, the attackers also covered their tracks--the Trojan could be planted on any computer previously compromised, with the search seemingly originating with that computer's owner--and could easily spread the work out among a number of IP addresses, probably to slip under any Monster radar potentially watching for unusually large numbers of search requests coming from any one location. (There is no evidence at the moment that Monster deploys such radar.)
How many people are affected? Initially, Symantec's researchers played it vague, saying only that "several hundred thousand" were at risk. Thursday, though, Monster said that it had found contact information on the hackers' server for about 1.3 million people who had posted resumes. The other number that's been bandied about--1.6 million--represents the tally of contact entries Symantec counted on the server last week; a significant number of Monster users apparently post more than one resume.
How did the hackers manage to grab so many contract records without Monster.com noticing? That's a good question. Monster itself hinted at one explanation: automated searches like the ones Infostealer.Monstres ran aren't unusual. "Many of our customers use automatic or semiautomatic means to search our database," said Monster spokesman Steve Sylven last Sunday. "Moreover, many of our larger customers rely heavily on our database, and their use may be similar to programmatic or scripted access." Translation: The searches conducted by the bigger Monster customers are as bot-like as those run by the Trojan.
The thieves also probably relied on some standard tactics to avoid detection, including running the searches from innocent PCs and spreading out the work (see "How was the information stolen?" above). Spammers and malware spreaders use zombies to send junk mail and malware for the same reasons.
What did the criminals do with the Monster data once they had it? No one's arguing the facts: personal information purloined from the Monster resume database was used to create, then send, targeted phishing e-mails--the term is "spear phishing"--that spread other malicious software or recruited "money mules," the middlemen who transfer money from a phished bank account to a foreign bank account. It's the emphasis where Monster and Symantec part.
Monster has focused on the mule-recruiting angle or even depicted those e-mails as run-of-the-mill phishing. "The purpose of gathering this information appears to be sending email disguised as Monster in order to gain recipients' trust, and then attempting to convince users to engage in financial transactions," the company now says on its revised security alert. Only in passing does it also call out "or lure them into downloading malicious software."
That, however, is the prime use of the stolen information, said Symantec's Hidalgo, who traced connections between Infostealer.Monstres and at least two other Trojans. The first, Banker.c, watches for, steals, then transmits back to hacker HQ online banking log-in information for accounts at Bank of America and the German arm of Citibank. The second, Gpcoder.e, is "ransomware," a Trojan that encrypts files on the infected PC's hard drive, then informs its owner that the files will be unusable until a fee is paid. In Gpcoder.e's case, the ransom was $300.