Online job seekers become prey

Monster Worldwide acknowledged Thursday that intruders swiped sensitive data for at least 1.3 million job seekers from its popular employment Web site.

Using e-mail addresses, phone numbers and other personal information harvested from Monster.com, hackers have posed as potential employers or as the Web site itself in a bid to hustle the victims' bank-account numbers and passwords.

The intruders also have used e-mail come-ons and pop-up ads pitching job-finding services to persuade victims to click on a tainted Web link. Clicking on the link results in an error message and turns control of the computer over to the intruder, said Don Jackson, virus researcher at security firm SecureWorks.

Monster.com said it shut down the "rogue server" where the stolen data was stored and that only names, addresses, phone numbers and e-mail addresses were found. It declined further comment, saying it was cooperating with law enforcement.

However, security experts said the rogue server likely was only one of dozens used to steal and store data in an elaborate theft campaign that has been operating since May.

There could be many more than the 1.3 million Monster patrons whose personal information has been breached, and there is little stopping the intruders from continuing the attacks, said Robert Sandilands, chief researcher at security firm Authentium.

"It is a very good first step by Monster," Sandilands said. "There will have to be more changes to prevent this from happening again. This was a smaller part of a much bigger operation."

The scheme came to light after computer-security firm Symantec reported on its Web site that it had found a hoard of 1.6 million personal records, including duplicates, stolen from Monster.com on a computer in Ukraine.

By Wednesday, Monster had posted a warning on its online "security center" that scam artists were sending bogus job offers to try to obtain bank-account information.

Monster said Thursday it would warn each victim by mail.

Symantec told Monster of the problem Aug. 17. Vice President Patrick Manzo said Monster waited five days to tell users of the intrusion.

"In terms of figuring out what the issue was, that was a relatively quick process," he said. "The other issue is, you want to make sure exactly what you are dealing with."

Infected computers are being incorporated into "zombie" networks to spread e-mail spam, deliver more infections and collect and store stolen data. Meanwhile, all information typed by the computer user into the Web browser, including usernames and passwords for online accounts, is collected.

Jackson, of SecureWorks, tracked down several servers being used to store data collected over time from victims' browser activity, including Social Security numbers and other data. One such storage unit held rich data for 46,000 individuals, he said.

The hackers appear to have used such data to log in to a job recruiter's Monster account and order contact information for 1.3 million job candidates.

That data, in turn, was used to target known job seekers for e-mail scams touting Monster's services.

Some Monster users said Thursday they had seen such e-mails as far back as February. Manzo said Monster had noticed e-mail attacks on customers eight or nine months ago but didn't have concrete evidence of improper access until the past week.

While multiple malicious programs are in use against Monster and its clients, Symantec said they all appeared to be written by the same band of thieves.

The attack has been so effective that security experts expect it to be tried at other employment sites. Social- and business-networking sites are also susceptible, they say.

"The advice to just stay out of the dark corners of the Internet really doesn't hold water anymore," said David Cole, director of the Symantec Security Response team. "The bad guys are going to legitimate Web sites and attacking people."

The security breach is notable because of its complexity and size. Average computer users have grown accustomed to ignoring fraudulent come-ons for their bank accounts that purport to be from the likes of PayPal or Citibank.

But the Monster scheme is more convincing because e-mails sent by the scammers include personal information about victims such as their cellphone numbers and street addresses.

Patrick Martin of Symantec said the sham job pitches were especially effective because Monster users were hoping to hear from strangers.

Material from Reuters was included in this report.