Mon, Aug 20, 2007
In case you missed it, it’s about to get very uncomfortable for the kids in Maynard.
According to Symantec security analyst Amado Hidalgo, a new Trojan horse called Infostealer.Monstres has stolen more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc.’s job search service.
More from the blogosphere.
Popularity: 4% [?]
Joel Cheesman - who has written 1471 posts on Cheezhead Recruiting News and Opinion.
One of the most widely-read bloggers on emerging recruitment issues in the world. Accomplishments include being named Recruiting.com’s Best Technology Recruitment Blog and Best Recruiting Blog. Joel's been featured in Fast Company magazine, BusinessWeek Magazine, Resumes for Dummies, U.S. News & World Report, The Wall Street Journal and more. Plug into Joel via Twitter, MySpace, Facebook, iTunes, YouTube or Flickr.
Twitter
August 20th, 2007 at 5:45 pm
1. Companies all over the place need to really look hard at how secure their information is to everyone. There’s a long way to go since most companies don’t even think the data in their databases could be an advantage to themselves much less stolen.
2. I’d love to work for some of these security companies to try and prevent this stuff — it drives me crazy. Don’t have the statistical skill sets for it, but I’d love to constantly beat these guys trying to come in after this stuff.
August 20th, 2007 at 6:34 pm
So the ads pitching beer to the unemployed have been replaced by ads which steal their identities? Great. Just when you thought it couldn’t get any worse…
August 21st, 2007 at 6:33 am
Apparently unreleated but nonetheless:
http://online.wsj.com/article/SB118766616028303810.html?mod=googlenews_wsj
August 21st, 2007 at 11:38 am
This doesn’t suprise me a bit. We dropped MonsterTRAK because of huge security holes, including using the user name and password as part of the HTML of a page (!!) once logged in, and URLs that were strings of numbers, not unique IDs.
We were able to see all sorts of things from other universities by simply changing some of the number strings.
That should NEVER happen, if authentication was properly done.
August 22nd, 2007 at 6:52 pm
Here’s the email just circulated out by a Monster rep. to clients. It is an amazing lack of acceptance that they have a fundamental flaw that needs to be addressed. (Humor my commentary throughout the email. Anything in { } is NOT from monster, but is commentary.)
Hello,
As you may know, Monster has received reports of a piece of malicious
software – called Infostealer.Monstres – that has been used to gather
the login credentials of our legitimate customers, and use those
credentials to log into Monster’s resume database in order to view
resumes posted to Monster’s resume database. At this time, we have no
evidence that substantiates many of the claims being made in the
articles.
{No evidence, except for the documented warnings before hand by the most reputable security firms in the world, including Symantec.}
What you should know:
* Monster is investigating the reports related to this Trojan
and will take all necessary steps to mitigate the issue, including
terminating any account used for illegitimate purposes.
{But not examine their underlying security model , which does not force password changes, nor strong passwords.}
* To the best of our knowledge, this is not a “hack” on
Monster’s security — rather, legitimate customer credentials are being
used to log in to the database.
{Correct. using a weak authentication model that apparently is really easy to figure out. BTW, didn’t anyone notice the user downloading 300,000 records on Saturday? If it were my account, I think I’d have gotten a phone call…}
* Many of the media reports refer to this as an issue of
“identity theft.” We are not aware of any cases of identity theft.
Posting a resume on Monster is a safe and effective way to get a job –
in fact, any information typically found in a resume can be found in the
phone book — i.e. generic contact information.
{Monster, you aren’t aware of a lot of things. One of those things was the Washington Post article the Friday before you were hacked describing exactly how these people were using the Trojan. The emails generated back to users phishing for new information doesn’t constitute awareness of identity theft on what planet exactly?}
There has also been a related report of virus-infected display ads on
Monster.com. We are not aware of any facts confirming this report.
When asked, the company making this report, could not provide us with
any confirming details.
{Was this the ad that we get for signing up for Phoenix University before we get to search? If not, could someone from Monster *please* load a virus on this page immediately?}
Protecting our users from fraud is one of Monster’s top priorities.
{As is responding to reporter’s requests to discuss this topic. We’ll get around to it 72 hours after it happened, and not tell the impacted users at all about it. }
* To continuously combat fraud, Monster has implemented a
sizable, dedicated Task Force that is fully committed to protecting the
integrity of Monster’s products and services, and most importantly –
our customers and site visitors.
* The Task Force continually monitors our resume database
to detect and terminate access that appears unusual or could potentially
fraudulent.
{Except when I got a really tasty pink frosted donut on Saturday stepping away from my computer. You know, like Homer’s with the sprinkles? Well, imagine my surprise when I saw an IP address from Poland downloading 300,000 names. I mean wow. I had to get another donut.}
* Furthermore, we continually implement and refine our
site technologies to identify unauthorized or inappropriate access to
our resume database.
{Don’t pay attention to the fact that we haven’t changed our authentication model since the 90’s.)
We ask that you remain alert for phishing emails: Phishing is when
someone emails you posing as a legitimate business or a personal
acquaintance. These emails often include familiar branding (such as
logos) in an attempt to create the perception of legitimacy; they then
try to obtain personal information from you or lure you into downloading
a malicious program.
Remember, Monster will NEVER send an email asking you to confirm your
username and password, nor will Monster ask you to download any
software, “tool” or “access agreement” in order to use your Monster
account.
* If you receive an email that contains such a link, you can
validate the URL by going directly to the Monster Web site,
http://www.monster.com , rather than relying solely
on that which is provided in an email. In addition, please forward it,
with full “header” information to siteabuse@monster.com
so that we may investigate and take
action. Instructions on obtaining header information can be found at:
http://www.spamcop.com/help_with_headers/
.
* Customers should never list their Social Security numbers,
driver’s license numbers, bank or credit card information, or passwords
on their resume.
* Further information on email fraud, including how to spot
phishing and spoofing, is available at:
*
http://www.lookstoogoodtobetrue.com/fraudtypes/phishing.aspx
* http://help.monster.com/besafe/email/
Ultimately, we have found no reason to believe that there is a Trojan
directly on the Monster site and that our users will be vulnerable to
this Trojan by using the Monster site- it is the phishing emails that
our customers need to avoid. We are continuously investigating the
claims made in the Trojan related articles and will continue to do so.
Should we find any evidence that supports the claims of these articles,
please know that Monster will work aggressively to protect our
customers.
{Someone please find me an article that claims this. I’ve seen none.}
Should you have any further questions or concerns, please contact me
directly.
{I do have a few concerns actually…}
Best regards,
~Cindy
Monster(r) -Today’s the Day
P Is it necessary to print this email?
{Yes. That last line was really included in the email.}
August 22nd, 2007 at 7:30 pm
So, since Monster.com can’t tell programmatic access to its site from direct access nor do they secure their own site from “talking to itself”, based on their responses in these articles:
http://www.pcworld.com/article/id,136154-pg,1/article.html
and here:
http://www.forbes.com/technology/2007/08/20/symantec-monster-research-tech-cx_0820darkreading.html
This compounded with the fact that their alliances program apparently further extends this lack of security to third parties (see here):
http://info.monster.com/alliances/hrvendor.asp
with no basic checks and balances is just lazy and poor management of private information. And don’t try and tell me that resume information isn’t “private”… I’m assured multiple times throughout the account creation process that my information is both private and secure.
What’s worse is that their “security model” seems to cross all their offerings including those that provide companies with their own career web sites, so are those using Monster.com for that compromised or at least at risk? I know that our company let’s those with Monster.com profiles “push” those into our systems and that Monster requires that you have an account on Monster before you can easily get to our jobs.
All I can say is no thanks… Lot’s of sites can drive candidate traffic and at least some of them seem to care about the fact that they sit between my jobs and my potential future employees’ privacy.
August 22nd, 2007 at 10:17 pm
For the past few years the Monster site has reminded me more of a lead generation tool for their advertisers rather than a place for people to find jobs. This trojan horse issue can directly be attributed to the overall strategies set in place by their management. The ‘new’ management is not off to a good start here. The problem in my mind still lies in the fact that their ultimate customer is the shareholder, thus their growth must come from squeezing every available dollar from the poor job seeker to maintain growth. With this model the job seeker always loses.
August 23rd, 2007 at 7:47 am
Masses, listen up!
I represent the International Brotherhood of Trumpasaurai (of which there are one, frequently seen at trade shows.)
I am extremely displeased with you all. You have not lain down and accepted the word of my master (monster.com) as golden.
How dare you.
Let me set the record straight, right here, right now.
1. It is not *our* fault that we lost all of those candidate records to bad people who want to steal nice human identities. It’s yours. You dumb clients better stop messing up our nice resume database by catching viruses.
2. If my master says that he has no direct knowledge that a virus even exists, and that identity theft exists, you will listen to our repudiation of objective reality. You will accept monster-reality.
3. Even if viruses do exist, they only downloaded information found in a phone book. That is why we charge so much money for access to the resume database. It takes many phone books to store this information. You should see master’s closet. It’s just shoes and phone books.
4. I had a dream last night that master couldn’t tell the difference between a human downloading a resume vs. a machine (like the Monster Partner program). That would mean that all of those nice humans that designed the Monster partner program and gave it to ATSes exposed a gaping flaw in their security. Then I woke up though and forgot all about that.
4. I expect two things from my master’s clients:
* Pay your invoices like good humans and don’t complain about increased rates.
* Stop questionining master. You are too simple to question the mind of his greatness.
If you would like to respond to me via human mail, I can be found at:
Office of the Trumpasaurus
Monster.com
Maynard, MA 54678
ATTN: Garbage Pile
Sincerely,
The Trumpasaurus
August 24th, 2007 at 10:48 am
Should I ask for forgiveness for what I will say here? Nah, Shoot, there seems to be a bit of hypocrisy going on here.. Monster gets a major breach, and Wow, this is such a Controversy, YET RECRUITERS every day will utilize programs – IE Jigsaw, that has the potential for as much harm as this attack did, and — Yet, this is what get’s a raised Eyebrow?
No mention of Recruiters sending Resumes w/o permission from the Candidates to jobs that may not exist, and compromising their own efforts? No mention of Selling Data on Programs without permission from that individual?
Ah, sorry, I guess, another Rant and Rage about this VERY topic from Karen Mattonen.. It is amazing what will stir the hornets nest, but it is my personal opinion that there is not much difference to what Some Recruiters may and will do Intentionally – compared to the breach of Monster’s database.
Karen Mattonen..
August 24th, 2007 at 3:02 pm
This is a big problem, but it happens all the time. There’s a software tool called InfoGist that allows any recruiter to suck tens of thousands of contact records from major job boards.
August 31st, 2007 at 8:56 am
I just got a disturbing notice from USAjobs, which uses monster software, that the breach extended into their website as well.
http://www.usajobs.gov/securityNotice.asp
September 7th, 2007 at 6:03 am
How much do you think was paid to Mr Behind-the-Scenes for this information? How many companies have just accidently lost information, and how long are we as a society going to keep giving out our personal data to these shysters?
These data security issues seem to be more a cash-in of customer trust than an actual incident. They get a list of a million active names, addresses, work history, salary information, phone numbers… they sell it to the highest bidder, download it and when the phishing starts, Monster claims SECURITY BREACH!!!!
Ya I believe it……
October 27th, 2007 at 1:50 pm
Me too, I get a lot of garbage from Monster, it’s a shame.
January 11th, 2008 at 12:29 pm
I get an average of 20 emails a day from Monster. Hopefully, this will be fixed
August 26th, 2008 at 8:26 am
1.6m is certainly not a small number… hope im not in there somewhere