Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Job Search Sites Compromised, Spear Phishing Hillarity Ensues InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Job Search Sites Compromised, Spear Phishing Hillarity Ensues

Published: 2007-08-20
Last Updated: 2007-08-20 21:08:48 UTC
by John Bambenek (Version: 1)
0 comment(s)

It appears many, many accounts on monster.com were stolen and are now being used to send credible spear phishing job ads to users.  What makes this attack interesting is that the phishing organization behind it is very organized.  In short, monster.com registered recruiters have had their accounts compromised so phishers can use them to send credible job ads to perspective victims.  Normal phishing attacks (spam the world) can net up to 10% of recipients.  According to some studies (which I can't find at the moment) that number increase to 80% when the e-mail is credible such as coming from social networking sites (i.e. friends) or job ad sites like this attack.  To be fair, those are numbers of people who have ever clicked on a phishing email, but those are still big windows of compromise.

One of the trojans used in this case is Prg Trojan and the organization putting them out has staged variants and releases new ones as soon as the last one was detected.  The result is that AV doesn't do much for you because the second it is detected (and hopefully cleaned) a new, undetected version comes out.  Rinse, Repeat.

Brian Krebs at SecurityFix has a good article and analysis of the whole thing.

One could try to stop clicking on links even from job ad sites but that makes the service near unusable.  Recruiters would start having to send prospective employees job descriptions in text with the URL in text.  Yes, text-only e-mail readers are still better than HTML, for obvious reasons.  AV can't keep up.  I'm trying to get more details about the fake ads and the malware so I may have specific defenses shortly.

There are tactics to raise the bar here, perhaps monster and others can just force a system-wide password reset to lock out the attackers.  However, the core problem is simple and it's this: the PC is not a trustworthy device for sensitive information... period.  As long as people keep treating PCs as "safe", phishers, frauders, and herders will keep exploiting the vast majority of insecure desktops, installing backdoors, and stealing information.  As long as credit cards companies and banking companies rely on weak authentication (username and password), that information will keep getting stolen.  Social Security numbers don't require ANY authentication for us, and we're approaching a point were most to all of those numbers are essentially compromised and public.

--
John Bambenek / bambenek {at} gmail {dot} com
University of Illinois at Urbana-Champaign

 

Keywords:
0 comment(s)
Diary Archives