Monster.com suffers job lot of data theft

Hundreds of thousands of users on the recruitment website Monster.com have had their personal details stolen, according to a security vendor.

A Trojan program has been taking the information from the areas of the Monster website accessed by recruiters and HR personnel, Symantec said on its official blog.

The security firm found that the Infostealer.Monstres Trojan had uploaded more than 1.6 million pieces of personal data belonging to several hundred thousand people to a remote server.

"We were very surprised that this low profile Trojan could have attacked so many people, so we decided to investigate how the data could have been obtained, " the Symantec blog said.

"Interestingly, only connections to the hiring.monster.com and recruiter.monster.com sub-domains were being made."

Symantec said that further investigation revealed that the Trojan appeared to be using the stolen credentials of a number of recruiters to search for CVs and steal the personal data.

Information stolen from the site included name, email address, country and home address, as well as work, mobile and home phone numbers. Most of the candidates who had their details stolen were based in the US.

"Such a large database of highly personal information is a spammer's dream," said Symantec.

"In fact, we found that the Trojan can be instructed to send spam using a mail template downloadable from the command and control server."

Symantec has informed Monster.com of the compromised Recruiter accounts so that they can be disabled.

The security firm also warned prospective job applicants to protect their identities when using recruitment sites by limiting the amount of contact information they post and using a separate disposable email address.

"Never disclose sensitive details such as your Social Security number, passport or driving licence numbers, bank account information etc to prospective employers until you have established that they are legitimate," Symantec said.

Graham Cluley, senior technology consultant at Sophos, agreed that users should be careful about sharing their data.

"Incidents like the Monster security breach underline how careful people should be about sharing their personal information on the internet," Cluley told vnunet.com.

"Websites can be hacked, breaches can occur, and mistakes can happen which may mean that data which you thought was being held securely is now in the hands of cyber-criminals."

See also:

Italian police fry Phish & Chip gang

Cyber-criminals responsible for 10,000 web page hacks  21 Aug 2007

US identity fraudster jailed for seven years

More than $1m nabbed using fake credit cards  20 Aug 2007

Web scams trick one in five US surfers

Victims admit to compromising their own security  16 Aug 2007

US curriculum to include online safety

Schools must educate students on cyber-threats  16 Aug 2007

Poor company policy aids identity theft

Too much reliance on paper-based authentication  13 Aug 2007

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!