Trojan strikes again, steals 1.6 million records on monster.com

A new version of internet virus Trojan is wreaking havoc with online recruiting websites and it has already accessed data on hundreds of thousands of users.

Researchers from Symantec and SecureWorks separately reported finding surprisingly effective penetrations by the new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment website Monster.com.

Other versions of the Trojan, which is a variant of the Prg Trojan, were also found to be attacking other online job sites.

Monster.com and a security business partner, Cyveillance, had warned the industry about increasing attacks on recruiting sites less than a month ago.

According to Symantec, the new Trojan, which is usually delivered via phishing messages that Monster.com and Cyveillance warned users about, has allowed attackers to collect as many as 1.6 million pieces of data affecting “several hundred thousand” users on Monster.com alone.

Working independently, SecureWorks reported finding at least a dozen caches of personal information, totalling about 100,000 identities.


The Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the Monster.com website and perform searches for resumes of candidates located in certain countries or working in certain fields, Symantec says in its blog.

The virus works like this: The Trojan sends HTTP commands to the Monster.com website to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches. The personal data is then extracted from the resumes and uploaded to a remote server.

The Symantec researchers found all of the 1.6 million pieces of compromised data on a single server, but SecureWorks found at least a dozen smaller caches, so the number of users affected likely is higher than either of the research teams has reported so far.

In fact, Symantec says, the Trojan can be instructed to send spam email using a mail template downloadable from the command and control server.

Monster.com has been attacked by Trojan previously. The main file used by Infostealer.Monstres, ntos.exe, is also commonly used by Trojan.Gpcoder.E, and both also have a similar icon for the executable file that reproduces the Monster.com company logo. This is hardly a coincidence, according to Symantec.

Trojan.Gpcoder.E has also reportedly been spammed in Monster.com phishing emails. These emails were very realistic, containing personal information of the victims, and they requested that the recipient download a Monster Job Seeker Tool, which in fact was a copy of Trojan.Gpcoder.E.

This Trojan encrypts files in the affected computer and leaves a text file requesting money to be paid to the attackers in order to decrypt the files.

The code for Gpcoder is somewhat similar to that of Monster.com, which may indicate that the same hacker group is behind both Trojans, the researchers say.

They have informed Monster.com of the Trojan exploits so that the “stolen” recruiter accounts can be shut down and also advised users not to put personal information – such as Social Security numbers – into their online job postings. Users should not give out this sort of data until they have established that a potential employer is legitimate.