Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres,which was attempting to access the online recruitment Web site,Monster.com. It was also uploading data to a remote server. When weaccessed this remote server, we found over 1.6 million entries withpersonal information belonging to several hundred thousand people. Wewere very surprised that this low profile Trojan could have attacked somany people, so we decided to investigate how the data could have beenobtained.
Interestingly, only connections to the hiring.monster.com andrecruiter.monster.com subdomains were being made. These subdomainsbelong to the “Monster for employers” only site, the section used byrecruiters and human resources personnel to search for potentialcandidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on candidates.
Upon further investigation, the Trojan appears to be using the(probably stolen) credentials of a number of recruiters to login to theWeb site and perform searches for resumes of candidates located incertain countries or working in certain fields. The Trojan sends HTTPcommands to the Monster.com Web site to navigate to the Managed Folderssection. It then parses the output from a pop-up window containing theprofiles of the candidates that match this recruiter’s saved searches.
Click image to view larger version
The personal details of those candidates, such as name, surname,email address, country, home address, work/mobile/home phone numbersand resume ID, are then uploaded to a remote server under the controlof the attackers.
This remote server held over 1.6 million entries with personalinformation belonging to several hundred thousands candidates, mainlybased in the US, who had posted their resumes to the Monster.com Website.
Such a large database of highly personal information is a spammer’sdream. In fact, we found the Trojan can be instructed to send spamemail using a mail template downloadable from the command & controlserver.
The main file used by Infostealer.Monstres, ntos.exe, is also commonly used by Trojan.Gpcoder.E, and both also have a similar icon for the executable file that reproduces the Monster.com company logo—hardly a coincidence.
Furthermore, Trojan.Gpcoder.E has reportedly been spammed inMonster.com phishing emails. These emails were very realistic,containing personal information of the victims. They requested that therecipient download a Monster Job Seeker Tool, which in fact was a copyof Trojan.Gpcoder.E. This Trojan will encrypt files in the affectedcomputer and leaves a text file requesting money to be paid to theattackers in order to decrypt the files. The code for Gpcoder is rathersimilar to that of Monstres, which may indicate the same hacker groupis behind both Trojans.
We have informed Monster.com of the compromised Recruiter accountsso they can be disabled. To protect your identity when usingrecruitment sites, or at least limit your exposure to identity theft,you should limit the contact information you post on these sites, use aseparate disposable email address and never disclose sensitive detailssuch as your Social Security number, passport or driver’s licensenumbers, bank account information, etc to prospective employers untilyou have established they are legitimate.
I would like to thank Hazel, one of our very patient colleagues inthe HR department, for assisting us during this investigation.