Monster.com Phishing & Personal Data Breach

Identity Theft - Phishing : Monster.com Phishing & Personal Data Breach

Posted by Max on 2007/8/22 6:28:43 (1343 reads)

US Job Website Monster.com has fallen victim to a web application attack.The results are worrying, with the personal data of hundreds of thousands of members stolen, reports a security firm.

The attack was carried out by a scripted exploit using stolen login credentials. The employer’s section of the website allowed the attackers to collect a huge amount of usernames, email addresses, home addresses and phone numbers. The usual stuff submitted by resume to a job website.

The best guess of security analysts about the attacker’s intent is spam; still, more can be expected from this incident.

The effects of this incident didn’t take long to show up: There are people reporting phishing emails sent out to legitimate monster.com users which were "very realistic" and contained "personal information of the victims".

The e-mail encouraged users to download a Monster Job Seeker Tool, which was in fact a program that encrypted files in their computer and left a ransom note demanding money for their decryption.

"To the best of our knowledge, this is not a hack of Monster's security, rather, legitimate customer credentials are being used to log in to the database," said Patrick Manzo, vice president of compliance and fraud prevention at Monster.

He added: "There have been reports of this as an issue of identify theft. We are not aware of any cases of identity theft. In fact, the information that is gathered from Monster is no different than that displayed in a phone book."

The program used to access Monster.com user data was a Trojan, which are commonly used to gain access to bank details, usernames and passwords.

More than 8,000 new variants of Trojans are found each month, according to internet security specialists Sophos.

Last year, a British nurse was blackmailed by hackers who had used a Trojan to access her personal e-mails.

They threatened to reveal personal details unless she paid them.

Symantec said users should always limit contact information posted to job websites and to use a disposable e-mail address.

"Never disclose sensitive details such as your social security number, passport or driver's license numbers, bank account information to prospective employers until you have established they are legitimate," said the firm.

Previous article - Next article

Other articles
2010/3/18 8:07:31 - Panda Cloud Antivirus Receives ICSA Labs' First Cloud-Based Certification
2010/3/17 15:49:34 - Open-Source Email Security Taken To The Next Level at WebhostingDay
2010/3/17 15:18:40 - McAfee Warns ABout Scareware or Fake Antivirus Software
2010/3/2 5:22:13 - VeriSign and AVG Will Integrate VeriSign Trust(TM) Seal Within AVG LinkScanner(R)
2010/3/1 7:36:12 - New Stealth Software Protects P2P Users From Lawsuits by Copyright Holders
2010/2/24 13:55:16 - New State of The Art Firewall By Palo Alto Networks
2010/2/24 13:50:26 - Beware of Fake Antimalware Programs Like PCsProtector
2010/2/24 13:38:02 - New Registry Cleaner Guide Helps Your PC Perform Faster
2010/2/3 7:32:43 - PC Login Now (Full version) Available Now For Free.
2010/2/3 7:11:57 - Mitto Named One of 20 Top Web Applications

The comments are owned by the poster. We aren't responsible for their content.