was not hacked but data theft was inevitable UserPageVisits:287 active 80 80 DaniWeb 561 60 2007-08-22T19:43:51+00:00 was not hacked but data theft was inevitable


A Symantec Security Response posting suggests that, the huge job hunting website, has been subject to an online attack resulting in the theft of personal data in the form of resumes of its users.

"We analyzed a sample of a new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Web site," the posting reveals, continuing "It was also uploading data to a remote server. When we accessed this remote server, we found over 1.6 million entries with personal information belonging to several hundred thousand people."

Further investigation revealed that only connections to the subdomains of and were being made by the Trojan, both subdomains used by employers searching for potential employees at the site. Importantly, this part of the site requires those recruitment personnel to log in if they want to view any information on candidates. No surprise then, to discover that the Infostealer.Monstres Trojan is using a number of recruiter logins to do just that.

Rather than being a security breach in the traditional sense, it would appear therefore that what we have here is actually a fairly sophisticated data harvesting bot in action. Once logged in it searches, using the available tools at, for the resumes of candidates dependent upon location or business sector and parses the output from the matching profile pop-ups.

So why go to all this trouble to harvest information that is, pretty much, in the public domain? We are talking about names, addresses, telephone numbers and, oh yes, email contact details here. The latter gives the biggest clue, as the resulting database is something of a spam outfit treasure chest. Because of the demographically targeted nature of the harvesting, there is much value to be added to the basic spam address list in this case. Symantec reports that it discovered the Trojan can indeed be instructed to send spam using a mail template downloaded from the command and control server.

Infostealer.Monstres shares a main file, ntos.exe, with Trojan.Gpcoder.E which is believed to have been involved in the spamming of related phishing scams. And here lies the real rub of the latest attack, those phishing scams rely upon being as realistic as possible in gaining the confidence of the recipient. Realistic as in containing the type of personal data found in the resumes of the people so targeted perhaps?

Trojan.Gpcoder.E is a nasty piece of work, once installed after the user will encrypt files on the host computer. A text message is then displayed requesting money in order for those files to be unencrypted. Although rare, this type of virtual blackmail is not unknown. The fact that the source code of both Gpcoder and Monstres is so similar would suggest the same criminal outfit is behind the schemes.

The issue that needs to be addressed by, and indeed the people who freely submit so much valuable personal data to such sites, is one of a basic expectation to privacy. This was not a hack, as has been widely reported in the online media, this was just an inevitable exploitation of a business practise that has been begging to be exploited for years. Indeed, who is to say that people have not been harvesting this data for years without being noticed? Were it not for the use of the Trojan in this case, it is doubtful whether the scam would have come to the attention of Symantec or anyone else for that matter.

Of course, while it is perfectly acceptable and indeed ethical to use a disposable email address for your contact point within such an online resume, things start to get a little cloudy if you try and obscure to much other personal information. Employers are not going to continue using a service which only provides them with potential employees who have lied about their name, location, age and credentials after all. It's a tricky one for, but a solution needs to be found if the data harvesting is not to continue.

One thing is for sure, protecting the privacy of your users is not an optional thing, it is essential if you want to continue in business as those users become ever more aware of the risks of allowing such data to be exposed to spammers and scammers as well as potential employers.

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Would a solution for companies like Monster to have ID numbers shown on line that if a company requests from Monster they can be sent full contact details to an email address.

If they wanted the making of such a request could require the entering of one of those number checks (or even the kittens as mentioned in another entry).

I suspect that will be reconsidering how it handles user privacy issues following the bad press it is getting over this...

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.19 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.