Security alarm after Monster breach

Sunday Business Post - Recruitment pages - September 9 2007

When using online recruitment sites, jobseekers should share personal data with discretion and be wary of unsolicited requests for information, writes Dermot Corrigan.

One of the biggest internet security breaches ever was discovered last month when global online recruitment giant Monster admitted personal information belonging to over one million of its job-seekers had been stolen.

According to Monster, hackers gained access to personal information - names, addresses, phone numbers and email addresses - of 1.3 million individuals.

Monster is now working closely with the appropriate regulatory agencies and law enforcement authorities on this issue and informing individuals affected on the appropriate precautionary steps to protect themselves. Monster said less than 5,000 of those affected were based outside the United States.

The problem was first detected last month by Symantec’s EMEA security headquarters based in Dublin. Kevin Hogan, who is director security content operations within Symantec Security Response, said the company immediately notified Monster and worked on shutting down the threat.

Hogan said the thieves did not try to circumvent Monster's security systems as in a traditional hacking threat.

"They somehow managed to get the log in details for three separate accounts and used them to gain access to the site as any normal recruitment agency or employer would," he said.

According to Hogan the criminals then used a 'trojan' programme to search through Monster's database of candidates and steal personal information.

"There was an e-mail sent to the individuals whose email addresses had been stolen," he said. "These had an attachment which purported to be a job search tool, but if you double clicked it was actually a malware that encrypted files on your local system. It then flashed you a warning saying if you wanted to see those local files again you would have to pay a certain amount of money. It was sort of an extortion racket."

Hogan said some Monster users were even offered positions by a Russian company as "financial consultants".


"The hackers knew the people were looking for jobs," he said. "It also sent a spam email saying you could be a financial consultant and make money from home. If you read through it you saw that they were recruiting people to act as go-betweens or mules in a money-laundering scheme. You needed to set up an account with Western Union and a bank account with Bank of America, and you would get a percentage of transactions that went through. That was pitched as a real financial consultant job."


The server used in the attack was located in the Ukraine and the Russian company offering the positions was apparently based in Moscow. Hogan suspects a professional group was behind the attack.


"These guys are definitely organised," he said. "They are relying on different means of setting up websites, shell companies and so on. You are not talking about pranksters here."


The malicious emails sent out would not have appeared suspicious at first glance, said Hogan.


"The e-mails themselves had the monster logo and looked very professional," he said. "These people would have expected to see something coming from Monster as they had registered."


Hogan said in the Monster case there appeared to have been no breakdown in their security procedures.


"We do not know exactly how, but there were some standard accounts that were abused by the hackers," he said. "They may have been accounts that the hackers themselves managed to set up, although there is a vetting process on Monster's site. Or they may have been accounts from legitimate companies or recruiters that were somehow passed from person to person until they landed in these characters' hands."


Hogan said companies had to safeguard their login details and passwords.


"Even something as simple as the recruiters' username for the monster site is of value to people like this," said Hogan. "People need to ensure they are not just slapping these onto a post-it note and attaching it to their keyboard."


According to Hogan, there was nothing particular about the Monster site that invited this attack.


"It could have been any other of the myriad sites where people input personal information," he said. "In this case it happens to have been a recruitment site, but if you look at the information that was being stolen it did not have anything to do with these people's CVs."


Fergal O’Byrne, chief executive officer of the Irish Internet Association, said individuals inputting personal information into any internet site should be aware that it was never completely safe.


"If you are going to put CVs or personal information up into any internet environment, whether it is a recruitment site or a social networking site, you have to be aware that the internet is an open medium and unfortunately there are fraudsters and scammers who are looking for just that kind of information” he said.


The criminals in these cases rely on humans making mistakes, according to O’Byrne.


"People are the weak link here,” he said. “The reason phishing is so prevalent is that it is working."


O’Byrne said anyone who received an email containing an attachment or a click-through web address should be careful.


“These scammers embed a different internet address in the email which redirects to somewhere else and most people do not know it has even happened,” he said. “Always go to the actual website itself and type in the actual domain name into the address bar – e.g. paypal.com or monster.ie.”


O’Byrne said these sites should have appropriate security measures in place to protect users’ information.


"The encryption of data, called SSL or secured sockets layer is incredibly robust," he said.


Users should also only input information that is directly relevant, and be suspicious of any unsolicited requests for information or urgent news, said O’Byrne. Reputable companies never ask for details such as PINs via email.

Hogan advised individuals using online jobsites to set up temporary web-based e-mail accounts such as yahoo or google to protect themselves.