A security firm analyzed a sample of a new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Web site, Monster.com. It was also uploading data to a remote server. When they accessed this remote server, they found over 1.6 million entries with personal information belonging to several hundred thousand people. Its very surprising that this low profile Trojan could have attacked so many people.
Interestingly, only connections to the hiring.monster.com and recruiter.monster.com subdomains were being made. These subdomains belong to the “Monster for employers” only site, the section used by recruiters and human resources personnel to search for potential candidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on candidates.
Upon further investigation, the Trojan is using the credentials of a number of recruiters used to login to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields. The Trojan sends HTTP commands to the Monster.com Web site to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches.
The personal details of those candidates, such as name, surname, email address, country, home address, work/mobile/home phone numbers and resume ID, are then uploaded to a remote server under the control of the attackers.
This remote server held over 1.6 million entries with personal information belonging to several hundred thousands candidates, who had posted their resumes to the Monster.com Web site