Monster.com Attacked, User Data Stolen 196
Placid writes "The BBC has an article detailing a successful attack on the US recruitment site, Monster.com. According to the article, 'A computer program was used to access the employers' section of the website using stolen log-in credentials' and that the stolen details were 'uploaded to a remote web server'. Apparently, this remote server 'held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website'. The article also links the break-in to a phishing e-mail sent out recently where personal details were used to entice users to download a 'Monster Job Seeker Tool.'"
4,3,2... (Score:3, Interesting)
Tomorrow's Ad today (Score:5, Funny)
New sysadmin. Must have experience in data security. Submit resume to adminjob@monster.com
Re:Tomorrow's Ad today (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re:Tomorrow's Ad today (Score:5, Funny)
Re:Tomorrow's Ad today (Score:5, Interesting)
Blame the data security officers & project mgr (Score:5, Interesting)
I'm shocked to think Monster doesn't have a limit on the # of resumes an account is able to d/l per some time period. (week/month/quarter). I don't know what that number is, but I'm thinking closer to "100" than "1.6 million". And didn't they run some cumulative activity reports once in a while to learn which accounts are the most active? And to what IP's the requests are being served? At the least, you'll know who your biggest customers are (or at least the ones who are taxing your servers) and where the data is going. At best, you'll spot problems like this breech as it is happening at stop it.
So if someone must be sacrificed, line up the data security officers and a project manager or two. It's their job to be asking these questions and ensure they are compliant.
Then again, hindsight is 20/20. Maybe the best thing that occurs from all this is we, on the sidelines, learn from their mistakes.
Re: (Score:3, Insightful)
Re: (Score:2)
The sort of anti-spider technology you describe was in place years ago and likely still is; think of the trade value of Monster's data. Now, instead of the traditional overly active account from an identifiable netblock imagine someone using their own zombie network to scrape a single resume/job/data an hour from across a few thousand machines. Wild speculation on my behalf but it's easy to fly under the radar if you try. (Th
Re:Blame the data security officers & project (Score:4, Funny)
I'd love to, but then I'd actually have to RTFA, and I don't have time today. I have to get a copy of my birth certificate and a visa, so I can help out my new Nigerian friend with a lucrative situation.
Re: (Score:2)
Re: (Score:2)
It sounds like it was done via employer accounts, which I would typically think falls to the HR department in a company.
Re: (Score:2)
But I am surprised by the number of techies that fell for the phishing attack in the first instance.
Was it the techies or the hiring managers, though?
It seems like the average HR department at a software firm with a C# vacancy would rather hire some guy a couple of years out of college with a bit of C# experience and a MCSD certificate than an experienced pro with a track record of shipping working software using half a dozen different languages including Java and C++. The same sort of firm probably wouldn't hire an DBA with a decade of experience using Oracle, SQL Server, PostgreSQL, Perl and Python
Monster attack steals user data (Score:5, Insightful)
Re: (Score:2)
I saw that BBC headline, but I didn't read the article because it sounded like a joke story... it's clever, but didn't do it's job (make me read the story).
nah (Score:2)
Re:Monster attack steals user data (Score:5, Insightful)
Re: (Score:2)
Phishing Attack (Score:4, Funny)
Re:Phishing Attack (Score:5, Funny)
Re:Phishing Attack (Score:5, Insightful)
remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.
Re:Phishing Attack (Score:4, Funny)
remember, these are the type of people who were putting "5 years experience required in windows 2003 admin" in 2005.
Re:Phishing Attack (Score:4, Interesting)
That said, I did have one IT outsourcing company that found my resume on Monster.com and when they called me, they wanted a social security number as part of their pre-interview screening process. When I refused, they claimed that it was necessary to save time by performing a background check before they potentially wasted their time on a candidate who wasn't able to pass a background check. I basically told them that they were idiots and that if they were legitimate, the only candidates they'd get with that policy are also idiots who had no business maintaining computer systems. Especially if the systems are considered sensitive enough to warrant a background check. The best part was that they had the gall to call me back and try to get my social one more time after that conversation.
Re:Phishing Attack (Score:5, Insightful)
Monster.com was broken in for spearphishing, not for sending bulk emails regarding "Bank of America". Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.
Recruitment agencies are actually a prime target for such attacks:
1. Nearly all of them (even the specialised unix oriented ones) require all CVs in Microshit Word so pushing a custom Trojan is trivial.
2. Nearly all of them systematically violate the Data Protection act and other similar statutes which require them to remove customer data from their databases when no longer needed. So far in the UK only 3% of the ones I have asked to remove my details have complied with the request. Amidst the most vile violators are the two biggest MOD oriented agencies and more than 50% of the top 20 (by job posting numbers).
3. In addition to that apparently at least one UK (and international) jobboard also does not remove customer data even if you delete your accounts from there. As a result the agencies are re-fed your details on a regular basis.
4. The agencies possess enough data for a perfect spearphish: date of birth, nationality, postal address, occupation, prior job history, current and past salaries as well as further background. In some cases where they have been subcontracted to do HR they possess even more data like NSNs/SSNs, credit ratings and the like.
Frankly this is an industry that is in desperate need to be smacked with some vile regulation compared to which SOX and the recent health IT regs in the US are a child's play. They need to be straightened out and made to follow the laws of the land with regard to customer privacy. At the moment they are systematically ignoring them and in many cases they possess more of your personal information than your bank.
So let's hope that the Monster case will cause some moves towards that.
Re: (Score:2, Insightful)
Re: (Score:2)
Why not, stay with me on this it's complicated, enforce the existing laws.
Re: (Score:2)
It's all about risk. People speed because the chance of being caught combined with the penalty is such that they feel it's a risk they'll take. If you create new laws that enable capital punishment for speeding, people won't speed. You won't have to police or enforce it any more, it'll just happen.
That's pretty much what SOX did. If the company makes it's numbers up, the CEO and/or CFO go to jail. That's a pretty big jump from the punishments had before. Therefore, companies are less inclined to take that
Re: (Score:2)
Sure, if the punishments are too small to stop the behaviour the law was enacted to stop then you need to do some tweaking - upping the penalties for example. But first you have to enforce what you have, it might be good enough - you can't know if you never enforce.
Re: (Score:2)
Sure, if the punishments are too small to stop the behaviour the law was enacted to stop then you need to do some tweaking - upping the penalties for example. But first you have to enforce what you have, it might be good enough - you can't know if you never enforce.
The problem is that these kinds of cases are notoriously difficult to prosecute, and generally require quite a bit of testimony from company insiders to make a decent case. Evidence is hard to get since it is often destroyed (emails and files deleted, etc.). So the risk is fairly low to the individuals, which means that the penalties need to be much greater to have any real deterrent effect.
Re: (Score:2)
Similarly, for the last 5 years I have seen only 2 UK agencies in the IT area (including security oriented ones) that are aware that MS Word leaves personal information inclu
Re: (Score:3, Funny)
o noes (Score:2, Funny)
Re: (Score:2)
That's what I was thinking... like, aren't MORE people seeing those resumes now? Isn't that a GOOD thing?
Of course, it's really a problem for identity theft, since there are many details of a persons' life on their resume. In fact you could call them up and make yourself sound like you knew them: "Hey, this is Jamie over at First Bank of Goobersville... yeah, remember when we worked together before you left for Retail Mega-Schmaltz?" I've even seen resumes where people put down the names of their pets -
Re: (Score:2)
Re: (Score:2)
"You better start commenting your code and indenting or you might have an 'accident'."
Hehe (Score:5, Funny)
Re: (Score:2)
Symantec has a very detailed explanation of it (Score:5, Informative)
The trojan (Called Infostealer.Monstres) seems to be using HR login details (possibly stolen) to access hiring.monster.com and recruiter.monster.com sub-domains and download candidate information. It also seems to be similar to a previously known trojan called Trojan.Gpcoder.E [slashdot.org]
Symantec estimates that 1.6 million people (mostly from USA) have been impacted.
They have informed Monster about it
Re: (Score:2)
Somehow I'm not convinced Monster is going to be concerned enough to take action, at least not until it threatens to cost them significant money.
I've been job searching recently, and Monster is the worst when it comes to privacy and security. First, when creating an online "resume" on Monster, between every "real" page, there's an ad page that looks like a Monster form to fill out, but it's actually a phishing page, an advertisement posing as a form that's asking for
hmmm (Score:4, Insightful)
Monster doesn't help anyway--why use it? (Score:3, Informative)
Speaking of spammers, this [mailto] is for you spambot email harvesters.
Re: (Score:3, Insightful)
Re: (Score:2, Interesting)
Unfortunately, Monster and Dice are indeed "cattle calls." More than once I've caught a Monster or Dice recruiter using my resume to try to land a government contract. Then, once getting said contract, that same recruiter fills that s
Re:Monster doesn't help anyway--why use it? (Score:5, Interesting)
Craigslist all the way. I am operations manager for a small IT firm and we've hired our last ten people from Craigslist. The response rate is fantastic. In most major markets, posting an ad is still free (for now). I keep getting calls from a rep. at Monster every three to six months asking me to pay $300-$400 PER LISTING at Monster. I let them know that I am perfectly happy with the quality, quantity and cost of Craigslist. There's a long pause and then they say maybe they'll give me a call in three to six months to check up on me. It's a little silly and arrogant to think that everyone will be able to get a job through personal connections. But Monster and Dice are so 1999. Craigslist is where the real action is.
Hint to other employers out there: I've found that the quality of candidates who respond to postings is directly proportional to the quality of the ad that you post. Put some thought into what you write. (Note: The same holds true for Slashdot.)
Re: (Score:3, Interesting)
I have had zero luck with Craigslist even for buying and selling. When selling, people demand that I accept their temporary checks, and won't pay otherwise, so I tell them to find another victim. When buying, I ask for some proof the item wasn't stolen, or at least show me that the i
Re: (Score:3, Insightful)
The majority of items in my apt were purchased off of craigslist. Not to mention my car, my current job and the apt iteself.
Re: (Score:2)
- Sold 2 of my cars in the last couple years at the posted price - both within 2 hours of posting.
- Got my job there. Very happy.
- Got all my wedding vendors there. Very happy for the most part.
- Run my ads for my side business exclusively on CL. Get more business than I can handle.
Re: (Score:2)
Not to imply that you are stupid, but are you aware that people can kick down YOUR door for a home invasion robbery without you telling them where you live?
Additionally, are you aware that there are quite a few doors/houses as well as quite a few "home invasion robberies" without the involvement of craigslist ? I dare venture, and feel free to call my bluff, but I would say that majority of "home invasion robberies" take pl
Re:Monster doesn't help anyway--why use it? (Score:4, Funny)
Craigslist...right.... Lots of ads, like the following:
WEB DEVELOPER needed for growing company, must be prorficient [sic] in PHP, ASP, ASP.NET, C++, Java and XHTML. Students welcome. $10 hr.
Oh, and here's a title from an actual ad now running (you can't make this stuff up):
Big Dog Web Developers Needed for a Big Back End
I don't even want to know.
Re: (Score:2)
That said, I was hired via
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
cue sound: (Score:5, Funny)
They got me! (Score:4, Funny)
Monster sucks donkey nuts (Score:3, Interesting)
Nice bonus is trying to find a link on their website where you can contact a real human. Or contact anyone. They seem to assume that anyone who wishes to contact them is either a job seeker or job poster. I don't think this is an oversight. I do think the staff at monster.com don't want to
Re: (Score:3, Interesting)
Seconded. Monster is an advertising vehicle, not a job board -- not anymore, at least. I've been trolling Monster for about 7 years now, and while I have had many many interviews, I have received about 10,000 spam messages from recruiters from all over the world. I do UNIX systems administration.
Here's a f
So to summarize... (Score:3, Interesting)
That information is available anyways, as people with resumes in open access do want to be contacted so they publish the email/phone/name etc and anyone with a screen scraper can amass this pile of "personal data". There is no indication that job seeker's database was stolen.
As for phishers I had a run in with one company claiming to "hire for Google" and demanding my SSN so they could "put my data into candidate database at Google, that absolutely demands SSN as unique ID".
That was several months ago.
Copied, not stolen (Score:4, Funny)
Re: (Score:2)
New ads on Monster tomorrow: (Score:3, Funny)
Best headline ever (Score:5, Funny)
This story has the best headline I've seen on the BBC in a long time:
Ruh-roh! Someone call the Scooby Gang!
Re: (Score:2)
job scams (Score:2)
when did it happen? (Score:2)
Re: (Score:2)
Same trojan attacked Dutch bank (Score:3, Interesting)
1) when loggin in
2) when confirming a transaction
A third, is performed when transferring large amaounts of money.
Appearently, the trojan told the customer the first attempt had failed, (while in the background preparing a transaction, which could be verified by the bank, because the client was so kind to re-autenticate (this time to the transaction challenge, while they were still thinking it was the login challenge)
Here's the story (in Dutch, hurrah)
http://tweakers.net/nieuws/48895/Virus-ontfutselt
And Monster's publicity team says... (Score:5, Interesting)
Nothing. Absolutely nothing.
The story's all over the media and the internet, Symantec has a blog post [symantec.com] and a virus writeup [symantec.com], and what's on the front page of Monster? Not a damn thing. No "your personal info may have been stolen", "hey, yeah, that data breach thing, we're looking into it", no acknowledgement of any kind. Their press page [monsterworldwide.com] contains bulletins about the Monster Employment Index and their top ten workplace etiquette tips. Looks like we're going to see another good example of how not to handle negative press related to a security issue.
Actually, just visited Monster.com and... (Score:2)
http://help.monster.com/besafe/ [monster.com]
I don't know if what they are talking about is related to this or a separate problem however.
Re: (Score:2)
Yeah, I saw their homepage link to http://help.monster.com/besafe/email/ [monster.com], but I thought that was a general "don't respond to phishing email" warning. It doesn't give any indication that it's something they put up specifically to address this. Mind you, looking back at monster.com in the wayback machine [archive.org], they don't appear to have had that link on their homepage back on 14 June.
What user data? Monster is a fake site (Score:2)
I've gotten a few jobs through Monster. (Score:2)
Besides job hunting, it's also an excellent tool for getting a feel for what the market is like in a given industry center. Today, for example, I'm pretty happy with my present gig, but I still keep a resume on Monster.
Espoinage (Score:2)
Sweet (Score:2)
Didn't Monster just fire a lot of people? (Score:3, Interesting)
My only question is... (Score:2)
Monster Tool? (Score:2)
Hilarious (Score:2)
They stole resumes!
I highly doubt there is any real, non-falsified personal information in any of those! Not if any of the resume's I've ever seen have been any indication.
Re: (Score:3, Insightful)
Re: (Score:2)
The program used stolen login credentials so linux and any other os would have thought the trojan was a valid user...
Re: (Score:2)
Re:"US recruitment site"?? (Score:4, Informative)
We'll stop calling websites for the USA "US Websites" when you stop butchering our language. The word you were looking for is "anti-American"
Also, if you check your history then Europe created the public WWW (with the CERN site in France/Switzerland) and it was a Brit, Tim Berners-Lee, who first developed HTML and worked on the original HTTP specification (Wikipedia references [wikipedia.org]).
Re: (Score:2)
Your language? Get over yourself. Did I miss the memo where the English who migrated to America suddenly lost their "magical English essence" which apparently comes from being on the soil where the language originally evolved? Kind of like how my sister is more closely genetically related to my parents because she still lives closer to them?
Both Brits and Americans speak descendants of earlier forms of English. Nobody speaks the English which was spoken when Americ
Re:"US recruitment site"?? (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
The username "Bloke down the pub" and his sig; Sure it's an assumption, but I felt it was a fairly safe one. Maybe he'll correct me if it was wrong...
The way he was speaking in the quote was obviously ironic and I didn't take that to mean anything other than that he's funny.
Re: (Score:2)
Re: (Score:2)
Now, I demand you hand over a metaphorical pound so that I may deposit it in my metaphorical savings account. And
Not quite acurate... (Score:2)
My point is that essentially, US English really isn't much of a shift at all away from English English, which is why many Brits will say that "it's our language". Personally though, I don't think anyone 'owns' a language, but recognition of origin is always nice.
And yes, English language is more or less the same a
Re: (Score:2)
U.S. English isn't any kind of "shift" away from English English. They are both (admittedly slight) shifts away from the English which was spoken when they branched off from each other. Strictly speaking U.S. English shifted less, if you consider pronunciation and vocabulary.
Let me state the analogy again, but in more detail:
A couple has two children, let's call them John Doe and Jane Do
Re: (Score:2)
On the other hand, Latin is one exa
Re: (Score:2)
I've heard that story too, but I have never heard a reliable confirmation of it. However, I can say with confidence that one of the principles of lan
Re: (Score:2)
If you want to be picky then we speak British English, but people don't tend to say "he speaks British" where as they do say "he speaks American" for American English.
I think you did miss the memo, though. Anyone who emigrated to America became (eventu
Re: (Score:2)
You mean french?
Re: (Score:2)
Look if you guys want to jump into the debate, at least read the points I'm making in the other posts, and maybe read up on the relevant fields of Linguistics.
I'm obviously not getting through to anyone, which I should be used to by now.... everyone thinks they'r
Re: (Score:2)
Re: (Score:2)
My original suggestion of "anti-American" was because the OP seemed to be saying that it was some form of racial bias that we were specifically picking out the America
Re:Porn (Score:5, Funny)
>thousands of minutes of erotic movies
TIP: say hundreds of *hours*. Saying minutes really implies your target audience don't umm, last very long IYSWIM. Not good marketing to insult them up front.
Re: (Score:2)