The Monster.com Mess

What Good Does the Other Stolen Information Do the Thieves?

Two words: Response rate. According to research conducted by an Indiana University team in 2005, people are much more likely to click or give up information if the message contains clues of legitimacy, as when the message appears to come from a close friend. In fact, 72% of the people in the study who received phishing mail from someone in their social network took the bait and divulged their log-on information, four and a half times the number in the control group.

Spear phishing, then, can be incredibly effective, at least from the criminals' point of view. By using the Monster resume data to target the recipient and flesh out the e-mail with the recipient's real name--often usually difficult or impossible to guess from the e-mail address itself--the crooks can expect more people to let down their guard and actually launch the attached file. (In the case of Gpcoder.e, the file posed as Monster Job Seeker Tool, fictitious software of course, but likely enough to get people to click; when they did, they installed the Trojan, not a job search assistant.)

So the goal of the attackers is...what? Bank account log-ons, clearly. Ransomware, though not uncommon, usually flops because someone--often one or more security vendors--cracks the encryption used to lock up the files and makes that public, eliminating the need to pay up.

Another clue that bank accounts are the endgame is the effort spent on recruiting money mules. The group wouldn't need mules unless it had, or anticipated having, access to bank accounts.

When did this start? We don't know, and so far, Monster has not talked about this. But one self-described Monster user claimed here to have received money-mule messages between June 3 and June 13, and had reported them to Monster. "Monster only said it was not from them and did not admit that they had let my information get away from them," said "Anonymous." Symantec first alerted Monster of its findings last Friday, Aug. 17, both the security company and Monster have said.

Evidence of the Gpcoder.e seeding--using phony Monster messages touting a nonexistent tool--goes back at least as far as early July, according to analysis by U.K.-based security company Prevx Ltd. It may have started days or even weeks before that.

Some reports, in fact, have claimed users started seeing phishing mail built atop the stolen personal information as early as February of this year.

What can Monster users do to protect themselves? For the 1.3 million whose resumes have been pillaged, it's too late; the horse has left the barn. Even so, some users decided to cancel their accounts as a way to block any future malware-based searches. "I can still search for jobs and submit my resume to postings, but employers/recruiters cannot find me in their searches," said a Chicago user identified as "Greg" in a comment on a Computerworld story that ran Thursday. "I certainly would encourage others to protect themselves and delete their Monster accounts as well."

Monster hasn't disabled batch or automated searches, or if it has, it's not said as much. (On Sunday, company spokesman Steve Sylven seemed to say that because large corporate customers of the service used automated searches, banning them would be out of the question.) It has, however, shut down the server that the gang was using to store its stolen data and presumably disabled the legitimate accounts used to access the database. (Symantec's Hidalgo said last week that his team had forwarded those accounts to Monster.) We say "presumably" because while we have asked Monster if those accounts have been closed, the company has not explicitly acknowledged doing so.

Other than that, the only advice being given by Monster or Symantec is the usual: Be suspicious of all unsolicited, unanticipated e-mail, run up-to-date antivirus software--to stop Trojans such as Banker.c or Gpcoder.e at the door--and refuse to give out personal information.

Subscribe to the Security Watch Newsletter

Comments