|
|
|
|
|
|||
|
Using e-mail addresses, phone numbers and other personal information harvested from the job-hunting website, the crooks are posing as potential employers or as Monster.com itself in a bid to hustle the victims' bank account numbers and passwords. The scheme came to light last week after a major computer security firm, Symantec Corp., reported on its website that it had found a hoard of 1.6 million personal records stolen from Monster.com on a computer in the Ukraine. By Wednesday, Monster.com had posted a warning on its online "security center" that scam artists were sending bogus job offers to its customers in an effort to get their bank account information. "We're certainly going to try to notify all of our customers," says Monster.com Vice-President Patrick Manzo. He says Monster hadn't contacted law enforcement, while Symantec wouldn't say one way or the other. Arrests in online break-ins, especially those with an overseas connection, are extremely rare. The company did not say that its database had been breached, but in interviews, top Monster.com executives did not dispute Symantec's analysis of the multi-stage fraud operation. Neither Symantec nor Monster.com would release the names of any victims, though Symantec estimated that the cache of records covered several hundred thousand people. Monster.com is among the largest job-seeking websites. The security breach is notable because of its complexity and its large size. Average computer users have grown accustomed to ignoring fraudulent come-ons for their bank accounts that purport to be from the likes of PayPal or CitiBank. But the Monster.com scheme is more convincing because the e-mails sent by the scamsters include personal information about victims' lives such as their cell phone numbers and street addresses. "They are just trying to make it more legitimate by adding some secret information that they've stolen," says Patrick Martin, a senior product manager at Symantec. "We haven't seen too many like this." Martin says the job pitches sent by scamsters were especially effective because Monster.com users were hoping to hear from strangers. At Monster, the criminal ring obtained passwords used by employers to scan Monster when looking to fill positions. Those passwords led them to records that included names, e-mail addresses and phone numbers. At least three types of follow-up emails were sent by the crooks to the job-seekers, according to researchers at Symantec. One of the e-mails purports to come from a prospective employer looking to fill a job facilitating money transfers and asks applicants to supply their own bank account information. Symantec said accounts would almost certainly be drained as a result of such disclosures. Two others appear to come from Monster.com itself and ask the recipients to download an automated "Monster Job Seeker Tool." Clicking on that link can download a program known as a keylogger on to a victim's computer, giving the con artist access to financial account numbers and passwords. Some state laws require companies such as Monster.com to issue personal warnings to customers if sensitive information is at risk, but "sensitive" can be defined to comprise little beyond social security and account numbers. Users of Monster.com can fill out electronic forms provided by the site or post completed resumes. Using the second method, some job-seekers can include social security numbers, although Monster.com recommends against it. Manzo said it was possible some of those crucial identifiers had been spirited away by the Internet thieves. The initial attack echoes the debacle exposed two years ago at ChoicePoint Inc., the massive data broker spun off from one of the major credit bureaus. In that case, a Nigerian crook used an imaginary business to get information on 1,45,000 people, some of whom became victims of identity theft. Even though the Monster.com attack was conducted by computer programs, that company likewise missed the abuse of its system, which requires only a user name and password to log in. Manzo said Monster.com would soon require more authentication for corporate users. The follow-on scams aimed at individuals, on the other hand, exemplify a trend toward sophistication that has also targeted users of smaller W eb sites and even employees of a single company, instead of anyone who might have a PayPal account or Bank of America credit card. That helps the bad guys get past both automated filters and the suspicions of the average computer user. A number of cases investigated by Secure Computing Corp. of San Jose, Calif., are similar to the Monster.com scam, if smaller. In those incidents, smaller online retailers, including some specialising in electronic goods, had their customer databases cracked over the Internet, said Secure Computing Principal Research Scientist Dmitri Alperovitch. Instead of simply maxing out the customers' credit cards, he says, the crooks posed as the online retailers and were able to swindle the victims more than once. In another technique, scam artists target only one company at a time. That makes it easier to include authentic-seeming material, and it lets them dodge corporate filters that weed out programs that have been widely deployed and discovered by security firms. Some of those e-mails duped hundreds of senior executives at big companies into installing keyloggers earlier this summer by posing as a consumer complaint forwarded by the Better Business Bureau. The con artists picked mangers with the authority to handle such complaints, who were also likely to have useful information on their computers, according to researchers at SecureWorks Inc. While multiple malicious programs are in use against Monster.com and its clients, Symantec said they all appeared to be written by the same band of thieves. That isn't always the case, Alperovitch says. For years, groups have been buying and selling hundreds of thousands of credit card numbers at a time on underground w eb sites. Now, whole databases can change hands -- a given company's customer names and their addresses, for example. "Because of all the information these criminals have been able to collect over time, with Google searches, blogs, and other systems, they're essentially able to reproduce their own versions of ChoicePoint," Alperovitch says. "You can create a databa se for a particular name from stolen and public sources and use that information for targeted attacks." — LA Times-Washington Post
|
Hundreds
