Online job hunters become the prey
Hundreds of thousands of job seekers are at risk of being ripped off through a sophisticated scheme concocted by Internet criminals who have penetrated the resume database at Monster.com, one of the nation’s largest recruitment websites.
Using e-mail addresses, phone numbers and other personal information harvested from the job-hunting site, the crooks are posing as potential employers or as Monster.com itself in a bid to hustle the victims’ bank account numbers and passwords.
The scheme came to light this week after a major computer security firm, Symantec Corp., reported on its website that it had found a hoard of 1.6 million personal records stolen from Monster.com on a computer in Ukraine.
By Wednesday, Monster.com had posted a warning on its online “security center” that scam artists were sending bogus job offers to its users in an effort to get their bank information.
“We’re certainly going to try to notify all of our customers,” Monster.com Vice President Patrick Manzo said, who added that Monster hadn’t contacted law enforcement. No arrests have been made and are rare in online break-ins originating overseas.
The security breach is notable because of its complexity and its large size. Average computer users have grown accustomed to ignoring fraudulent come-ons for their bank information that purport to be from the likes of PayPal or CitiBank. But the Monster.com scheme is more convincing because the e-mails sent by the scam artists include personal information about victims’ lives such as their cellphone numbers and street addresses.
“They are just trying to make it more legitimate by adding some secret information that they’ve stolen,” said Patrick Martin, a senior product manager at Symantec. “We haven’t seen too many like this.”
Martin said the job pitches sent by scam artists were especially effective because Monster.com users were hoping to hear from strangers.
In interviews, Monster.com executives did not dispute Symantec’s analysis of the multi-stage fraud operation.
Neither Symantec nor Monster.com would release the names of any victims, though Symantec estimated that the cache of records covered several hundred thousand people.
The criminal ring obtained passwords used by employers to scan Monster when looking to fill positions. Those passwords led them to records that included names, e-mail addresses and phone numbers of prospective employees.
At least three types of follow-up e-mails were sent to the job seekers, according to researchers at Symantec. One of the e-mails purports to come from an employer looking to fill a job facilitating money transfers and asks applicants to supply their own bank account information. Symantec said accounts would almost certainly be drained.
Two other e-mails appear to come from Monster.com itself and ask recipients to download an automated Monster Job Seeker Tool. Clicking on that link can download a program known as a keylogger into a victim’s computer, giving the con artists access to financial account numbers and passwords. It can also download what’s known as ransomware -- a program that encrypts the user’s files and allows renewed access only for a fee.
Users of Monster.com can fill out electronic forms provided by the site or post completed resumes. Using the second method, some job seekers can include Social Security numbers, although Monster.com recommends against doing so. Manzo said it was possible that some of those crucial identifiers had been spirited away by the Internet thieves.
The initial attack echoes the debacle exposed two years ago at ChoicePoint Inc., the massive data broker spun off from one of the major credit bureaus. In that case, a Nigerian crook used a phony business to get information on 145,000 people, some of whom became victims of identity theft. Monster.com, likewise, missed the abuse of its system, perhaps in part because the site requires only a user name and password to log in. Manzo said Monster.com would soon demand more authentication from corporate users.
The follow-on scams aimed at individuals, on the other hand, exemplify a trend toward sophistication that has also targeted users of smaller websites and even employees of a single company. A number of cases investigated by Secure Computing Corp. of San Jose, a tech security firm, are similar to the Monster.com scam, if smaller.
In those incidents, online retailers, including some specializing in electronic goods, had their customer databases breached over the Internet, said Dmitri Alperovitch, principal research scientist at Secure Computing.
Instead of simply maxing out the customers’ credit cards, he said, the crooks posed as the online retailers and were able to swindle the victims more than once.
In another technique, scam artists target only one company at a time. That makes it easier for them to pose as a colleague or customer and lets them dodge corporate filters that weed out malicious programs that have been widely deployed and discovered by security firms.
Some of those e-mails duped hundreds of senior executives at big companies this summer into installing keyloggers disguised as consumer complaints forwarded by the Better Business Bureau. The con artists picked managers with the authority to handle such complaints, who were also likely to have useful information on their computers, according to researchers at SecureWorks Inc.
Although multiple malicious programs are in use against Monster.com and its clients, Symantec said they all appeared to be written by the same band of thieves.
That isn’t always the case, Alperovitch said. For years, groups have been buying and selling hundreds of thousands of credit card numbers at a time on underground websites.
Now, whole databases can change hands -- a given company’s list of customer names and their addresses, for example.
“Because of all the information these criminals have been able to collect over time, with Google searches, blogs and other systems, they’re essentially able to reproduce their own versions of ChoicePoint,” Alperovitch said. “You can create a database for a particular name from stolen and public sources and use that information for targeted attacks.”
--
--
(BEGIN TEXT OF INFOBOX)
Keeping online thieves at bay
Tips for avoiding scam job offers and the surreptitious downloading of malicious software:
Don’t include Social Security numbers in resumes or give them to prospective employers before accepting a job offer. Make sure the offer is from a legitimate company.
When submitting sensitive information online, consider using an e-mail address set up just for that purpose. That will make it harder for the ill-intentioned to assemble a dossier on you.
Use just a first initial and last name or, even better, post a resume “privately,” which lets you control who sees your contact information.
Just because e-mail correspondents know something about you, don’t assume you know anything about them.
Read the warnings on some of the larger job sites, which flag frequent scam offers, including those for money-transfer jobs, reshipping tasks and anything that requires information on your financial accounts.
Don’t click on links sent in e-mails: they can obscure a site’s true identity. If need be, retype the Web address in your browser.
Don’t download any program unless you are absolutely certain what it is.
As always, use a firewall, a good spyware program, and an antivirus service and operating system that both update automatically.
Source: Times research, World Privacy Forum
