Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same.

Resumes: spammers paradise

A recent attack on the leading job portal monster.com has started a debate over the capability of resumes to be highly prized in the identity theft community. According to some experts, they are gold in the hands of identity thieves, especially if it’s a more organized kind of theft ring, because they can take the identities and match it up with geographical information and then just buy the Social Security Numbers and make a whole lot of money out of it. But according to Monster, some 1.6 million records stolen from Monster.com do not raise issues of identity theft. Rather they claim this information to be no different from that displayed in a phone book.

Recently a sample of a new Trojan, called ‘Infostealer.Monstres,’ was analyzed which was attempting to access the online recruitment Web site, Monster.com. It was also uploading data to a remote server. When that remote server was accessed, it was found that over 1.6 million entries with personal information belonging to several hundred thousand people were stored on it.

Upon further investigation, the Trojan appeared to be using the (probably stolen) credentials of a number of recruiters to log in to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields.

This sort of attack results in the creation a spammer’s fantasy land of information. By stealing the information from Monster and customizing it, they can target it and send out convincing phishing e-mails that will install other malware to get more personal information.

There is evidence that an organized effort may be involved in the Monster data theft. As Symantec was reporting on Infostealer.Monstres; SecureWorks of Atlanta reported that it had discovered a cache of data stolen by a Trojan called “Prg.”

According to SecurityWorks, the data, which includes bank and credit card account information, SSNs, online payment account user names and passwords and other personal information, is from 46,000 victims who were all individually infected.

This infection began in early May and now the victims are being infected and reinfected by ads on various online job sites. The ads running on job sites are being injected with the Trojan, both of these activities are being performed by hackers behind this scam.

Reportedly, the server caching the data stolen by the Trojan is one of 20 worldwide doing so. Twelve of those servers, including the one discovered by Jackson, are being operated by a single group of hackers known as the “Car Group,” for their penchant for naming their malware after auto makers.

The attack on Monster follows a modus operandi, all too familiar to malware fighters. Monster has a high-profile name, but it’s like any other database that becomes compromised by someone with legitimate credentials who loses those credentials or makes them available to someone else. What we’re seeing today are targeted attacks that use a combination of techniques and the end result is getting into people’s personal and financial information for financial gain. Further to the monster saga, the company has discovered and shut down a rogue database that contained personal information culled from resumes posted on the site. Monster.com has also placed an advisory on its Web site warning users of the e-mail scam.