Monster.com Attacked, User Data Stolen

Placid writes "The BBC has an article detailing a successful attack on the US recruitment site, Monster.com. According to the article, 'A computer program was used to access the employers' section of the website using stolen log-in credentials' and that the stolen details were 'uploaded to a remote web server'. Apparently, this remote server 'held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website'. The article also links the break-in to a phishing e-mail sent out recently where personal details were used to entice users to download a 'Monster Job Seeker Tool.'"

4,3,2...

[timmarhy]

i smell a lawsuit

So to summarize...

[saikou]

While the fact that employer's Monster account(s) were stolen/cracked/pilfered is sad, the article says that trojan was essentially storing search results.
That information is available anyways, as people with resumes in open access do want to be contacted so they publish the email/phone/name etc and anyone with a screen scraper can amass this pile of "personal data". There is no indication that job seeker's database was stolen.

As for phishers I had a run in with one company claiming to "hire for Google" and demanding my SSN so they could "put my data into candidate database at Google, that absolutely demands SSN as unique ID".
That was several months ago.

Re:Monster doesn't help anyway--why use it?

[Anonymous Coward]

I sure didn't rub my elbows with the "Donald Trump" of IT at my place of work. I just knew someone who recommended me, and I was able to take it from there with my ability. I probably wouldn't have this job but for that person (I wouldn't have even known about the opening).

Unfortunately, Monster and Dice are indeed "cattle calls." More than once I've caught a Monster or Dice recruiter using my resume to try to land a government contract. Then, once getting said contract, that same recruiter fills that same position with one of his or her buddies. Without going into detail, I set up a couple of situations in which I confirmed that this was happening. Unfortunately, to my knowledge, there isn't a law against it (IANAL).

So, the *idea* of Monster and Dice is good. Unfortunately, the real-life *implementation* isn't that good. Furthermore, you risk your information getting stolen, as this incident has shown. You're better off using the newspaper. I always had much better success with the newspaper than those two online cattle-call sites.

Re:Monster doesn't help anyway--why use it?

[uptownguy]

Monster and Dice are just meat markets. Relatively few people actually get jobs there

Craigslist all the way. I am operations manager for a small IT firm and we've hired our last ten people from Craigslist. The response rate is fantastic. In most major markets, posting an ad is still free (for now). I keep getting calls from a rep. at Monster every three to six months asking me to pay $300-$400 PER LISTING at Monster. I let them know that I am perfectly happy with the quality, quantity and cost of Craigslist. There's a long pause and then they say maybe they'll give me a call in three to six months to check up on me. It's a little silly and arrogant to think that everyone will be able to get a job through personal connections. But Monster and Dice are so 1999. Craigslist is where the real action is.

Hint to other employers out there: I've found that the quality of candidates who respond to postings is directly proportional to the quality of the ad that you post. Put some thought into what you write. (Note: The same holds true for Slashdot.)

Re:Monster doesn't help anyway--why use it?

[Anonymous Coward]

Craigslist is horrible! If I wanted to be scammed, or give details to someone so they can possibly try identity theft hijinks, or just know where I live so they can kick down my door for a home invasion robbery, I'd use them.

I have had zero luck with Craigslist even for buying and selling. When selling, people demand that I accept their temporary checks, and won't pay otherwise, so I tell them to find another victim. When buying, I ask for some proof the item wasn't stolen, or at least show me that the item doesn't have major damage around the Kensington lock slot, and people fail on both these counds.

Its not Craigslist's fault in any way, its just that the site is a criminal's paradise.

Re:Tomorrow's Ad today

[janrinok]

I don't agree. If you RTFA, you will see the the system was penetrated by using valid UIDs and passwords, which had been previously gathered using a phishing attack. Any system is vulnerable to such an attack and you can hardly line all up all sysadmins and have them shot - despite any justification that the odd one might actually deserve it. But I am surprised by the number of techies that fell for the phishing attack in the first instance.

Monster sucks donkey nuts

[Wee]

Heh, heh. I thought the same thing. Monster emails are almost entirely spam anyways. I mean, they may have been relevant a few years ago (that's being charitable) but I've never had anything but crap from them.

Nice bonus is trying to find a link on their website where you can contact a real human. Or contact anyone. They seem to assume that anyone who wishes to contact them is either a job seeker or job poster. I don't think this is an oversight. I do think the staff at monster.com don't want to be conversed with in any way. Slimy.

I removed my "profile" years ago, but somehow they still persist in contacting me. Obviously, it's a one-way thing; I couldn't possibly email I real human there. Because if they *really* wanted to talk to me, I'd ask them to remove all my info and leave me the fuck alone.

-B

Blame the data security officers & project mgr

[JonTurner]

Upon reflection, I agree with you. It's not the admin's fault -- once it was in the admin's domain, it was already too late. IMO, This breech happened due to a design shortcoming, not a programming error. Let me explain: Any serious company with an internet presence should be asking "When a loss of an external user account/password occurs, what's the maximum damage that can occur? What can we do to minimize the impact?" Frankly, there is no reason at all that one user account (or even dozens) should be able to download 1.6 MILLION (!!) resumes. That's an incredible number!

I'm shocked to think Monster doesn't have a limit on the # of resumes an account is able to d/l per some time period. (week/month/quarter). I don't know what that number is, but I'm thinking closer to "100" than "1.6 million". And didn't they run some cumulative activity reports once in a while to learn which accounts are the most active? And to what IP's the requests are being served? At the least, you'll know who your biggest customers are (or at least the ones who are taxing your servers) and where the data is going. At best, you'll spot problems like this breech as it is happening at stop it.

So if someone must be sacrificed, line up the data security officers and a project manager or two. It's their job to be asking these questions and ensure they are compliant.

Then again, hindsight is 20/20. Maybe the best thing that occurs from all this is we, on the sidelines, learn from their mistakes.

Same trojan attacked Dutch bank

[MoreCoffee]

The Dutch bank was attacked by the 'man in the browser' type of trojan, which cached the output from the challenge-response between user- and bank. This bank by default performs two challenge-response sequences;
1) when loggin in
2) when confirming a transaction
A third, is performed when transferring large amaounts of money.

Appearently, the trojan told the customer the first attempt had failed, (while in the background preparing a transaction, which could be verified by the bank, because the client was so kind to re-autenticate (this time to the transaction challenge, while they were still thinking it was the login challenge)

Here's the story (in Dutch, hurrah)
http://tweakers.net/nieuws/48895/Virus-ontfutselt- geld-van-klanten-ABN-Amro-update.html [tweakers.net]

/steven

And Monster's publicity team says...

[shadowspar]

Nothing. Absolutely nothing.

The story's all over the media and the internet, Symantec has a blog post [symantec.com] and a virus writeup [symantec.com], and what's on the front page of Monster? Not a damn thing. No "your personal info may have been stolen", "hey, yeah, that data breach thing, we're looking into it", no acknowledgement of any kind. Their press page [monsterworldwide.com] contains bulletins about the Monster Employment Index and their top ten workplace etiquette tips. Looks like we're going to see another good example of how not to handle negative press related to a security issue.

Didn't Monster just fire a lot of people?

[Harlockjds]

Didn't Monster just fire a lot of people? I'm guessing they let someone go who has access rights that weren't revoked (or happened to know someone login info who wasn't fired) and that person decided to 'get back'.

Re:Monster sucks donkey nuts

[drewzhrodague]

I thought the same thing. Monster emails are almost entirely spam anyways. I mean, they may have been relevant a few years ago (that's being charitable) but I've never had anything but crap from them.

Seconded. Monster is an advertising vehicle, not a job board -- not anymore, at least. I've been trolling Monster for about 7 years now, and while I have had many many interviews, I have received about 10,000 spam messages from recruiters from all over the world. I do UNIX systems administration.

Here's a fun trick, which I recommend for those trolling for recruiters:

[] Sign up with El Jobboard
[] Include superfluous keywords. I have a big block of text at the bottom with a ton of UNIX and systems keywords.
[] Update your resume every Monday or Tuesday. Insert a space. Remove a word. Anything to get your resume 'updated'.
[] Do the same with the other job boards, once a week.

You'll receive tons of email from various recruiters offering you jobs from anywhere and everywhere. Most of them are bunk, which I discuss at one of my projects (shameless plug) Recruiter-Rater [zhrodague.net]. I get offers from modeling agencies, insurance sales, and other completely unrelated stuff. I passively milk the jobboards for new recruiters to post about, as do a few of our other regular users.

Otherwise, Craigslist is the way to go, if you are *actually* looking for work.

Re:Phishing Attack

[RESPAWN]

I've literally had a recruiter forward me a resume one time for a candidate who didn't even know what company he was interviewing for. I've been forwarded resumes that looked like they were typed by a 5 year old. I've been sent resumes for candidates who have no technical experience at all. Period. I look at HR as nothing but a block to the actual hiring process. I'd rather they let me go to Monster.com and look at resumes than have somebody without technical skills do it for me.

That said, I did have one IT outsourcing company that found my resume on Monster.com and when they called me, they wanted a social security number as part of their pre-interview screening process. When I refused, they claimed that it was necessary to save time by performing a background check before they potentially wasted their time on a candidate who wasn't able to pass a background check. I basically told them that they were idiots and that if they were legitimate, the only candidates they'd get with that policy are also idiots who had no business maintaining computer systems. Especially if the systems are considered sensitive enough to warrant a background check. The best part was that they had the gall to call me back and try to get my social one more time after that conversation.