Phishing Attack Plunders Job Site
BOSTON - A recently disclosed fraud involving hundreds of
thousands of people on the Monster.com jobs Web site reveals the
perils of leaving detailed personal information online, security
analysts say.
Before the scheme was uncovered last week by researchers at
Symantec Corp., con artists had filched legitimate user names
and passwords from recruiters who search for job candidates on
Monster. Then with access into the Monster system, the hackers
grabbed resumes and used information on those documents to craft
personalized "phishing" e-mails to job seekers.
"What phishers are trying to do these days is make them as
realistic as possible, by adding specific information," said
Patrick Martin, a Symantec product manager. "If they know you've
submitted a resume to Monster, that makes it (seem) a little
more legitimate."
If the recipients took the bait, they had spyware or other
malicious programs secretly installed on their computers. But
even if the phishing attempt wasn't successful, the names,
addresses and other details on the resumes can themselves be
lucrative.
A server in the Ukraine used in the scheme held 1.6 million
entries. Because of duplications, Symantec said those files
actually held personal information for "several hundred
thousand" job seekers. Another antivirus firm, Authentium Inc.,
said it parsed the same data and counted 1.2 million people.
Symantec said it relayed details to Monster.com so it could
disable the compromised recruiter accounts. But the security
company also advised Web users to limit their exposure to such
frauds by reducing the amount of personal information they post
on the Internet.
That advice was echoed in other corners. Ron O'Brien, senior
security analyst for Sophos PLC, suggested that job seekers
provide only minimal details about themselves on job sites, and
then reveal deeper information only for queries that prove to be
legitimate.
The same standards should apply on social networking sites such
as Facebook that ask for a wealth of information, O'Brien said.
"With very little effort, I could put together a profile of you
that includes such information as your home address, your home
phone number, your e-mail address, your birthday," O'Brien said.
"We need to kind of take a step back and decide whether it's
really required for us to provide all the information requested
of us. ... We have become a nation of people who want to be
cooperative."
Other security specialists said Monster might share the blame if
it doesn't ensure that people with access to its system use
"strong" passwords that are frequently changed or hard to guess.
"They have a major responsibility when they have this
information," said Laura Yecies, a vice president of Check Point
Software Technologies Ltd.
Representatives for Monster Worldwide Inc., the New York-based
parent company of the jobs site, did not return messages seeking
comment.
On its Web site, the company advises its members to be extremely
cautious about e-mails purporting to be from recruiters � advice
that goes for all unsolicited messages.
To spot phishing attempts, look for misspellings or grammatical
mistakes in the messages. Even if an e-mail passes that smell
test, don't click on links in the e-mail or fill out forms
asking for information. And if the message offers a deal that is
too good to be true such as easy money it probably is.
--By BRIAN BERGSTEIN,
AP Technology Writer
Wed Aug 22, 4:59 PM ET .
|