[ISN] Identity attack spreads; 1.6M records stolen from Monster.com

From: InfoSec News (alerts@private)
Date: Sun Aug 19 2007 - 22:39:30 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9031418

By Gregg Keizer
August 19, 2007 
Computerworld

The 46,000 people reportedly infected by ads on job sites may be only a 
fraction of the victims of an ambitious, multi-stage attack that's 
stolen data belonging to several hundred thousand people who posted 
resumes on Monster.com, a researcher said this weekend.

According to Symantec Corp. security analyst Amado Hidalgo, a new Trojan 
horse called Infostealer.Monstres by Symantec (and Prg by SecureWorks) 
has stolen more than 1.6 million records belonging to several hundred 
thousand people from the job search service Monster.com. That data is 
then used to target the Monster.com users with credible phishing mail 
that plants more malware on their machines.

"We are investigating the reports related to this Trojan and will take 
any necessary steps indicated by that investigation," Monster.com 
spokesman Steve Sylven said Sunday in an e-mail.

The personal information filched from Monster.com includes names, e-mail 
addresses, home address, phone numbers, and resume ID number, said 
Hidalgo, who traced the data to a remote server used by the attackers to 
store the stolen information. Infostealer.Monstres ripped off 
Monster.com by using legitimate log-ons, likely stolen from recruiters 
and human resource personnel who have access to the "Monster for 
employers" areas of the site. Once inside, the Trojan ran automated 
searches for resumes of candidates located in certain countries or 
working in certain fields. The results were then uploaded to the 
attackers' remote server.

"Such a large database of highly personal information is a spammer's 
dream," said Hidalgo. In fact, that's exactly what the attackers are 
using their newly-acquired data for.

"The attackers first gather e-mail address and other personal 
information from resumes posted to Monster.com with 
Infostealer.Monstres," Hidalgo said. "Next, they will try to infect the 
computers of those candidates by sending targeted Monster.com phishing 
mails which install [Banker.c or Gpcoder.e]."

The first piece of malware, dubbed Banker.c by Symantec, is a 
run-of-the-mill information-stealing Trojan that monitors the infected 
PC for log-ons to online banking accounts; when it sniffs a log-on in 
process, Banker.c records the username and password, then transmits the 
data back to hacker HQ.

Gpcoder.e, on the other hand, is "ransomware," the name given to Trojans 
which encrypt files on the hacked computer, then hold those files 
hostage until the user pays a fee to unlock the data.

Although both Banker.c and Gpcoder.e may be distributed in other ways -- 
SecureWorks last week said it had spotted something like the former 
coming from infected ads placed on job search sites -- 
Infostealer.Monstres' built-in mailing code and template lets it send 
messages posing as missives from Monster.com straight to the job site 
users it finds in its automated searches.

Infostealer.Monstres' second-stage attack, which uses Gpcoder, is 
especially insidious. Realistic-looking e-mails that contain convincing 
personal information -- the very information stolen from Monster.com -- 
instruct the recipient to download a program called "Monster Job Seeker 
Tool." There is no tool, of course; victims download the ransomware 
Gpcoder.e instead.

Hidalgo's research led him to conclude that the three pieces of code -- 
Infostealer.Monstres, Banker.c, and Gpcoder.e -- are related, and 
probably the work of a single group.

"While their final purpose is different, their modus operandi is very 
similar, using identical filenames, creating the same system folder, 
injecting code into the same processes, and hooking the same system 
functions using rootkit techniques to gain control of network 
functionalities and to steal sensitive information," said Hidalgo. "They 
share code and a number of traits that could indicate they were 
developed by the same group or perhaps created using a kit."

Monster.com's Sylven defended the service's automated searches and said 
that although the company monitors database activity, he said that 
stolen credentials have been used in the past to access the system. 
Moreover, it's difficult to tell a valid automated search generated by a 
real person from one cranked out by software. "Many of our larger 
customers rely heavily on our database and their use may be similar to 
programmatic or scripted access," said Sylven.

He could not confirm that the stolen accounts had been disabled, 
although Hidalgo noted in a blog posted Friday afternoon that Symantec 
had notified Monster.com of the compromised log-ins. "When unusual 
access is detected, we do terminate that access and investigate if 
possible," Sylven said.


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Sun Aug 19 2007 - 22:43:39 PDT