Network News

X My Profile
View More Activity

Would You Like A Job With That Virus?

Cyber crooks are targeting a wave of new attacks at people searching for jobs online, security experts warn. Oddly enough, the criminals behind this scam appear to be just as interested in hiring you as they are in hijacking your PC.

Over the course of the past few weeks, virus writers have set their sights on users of job search giant Monster.com and at least one other jobs site with tainted online advertisements designed to install malicious software on the visitors' machines, according to SecureWorks, an Atlanta-based security and research firm.

SecureWorks says that since May, more than 40,000 people have had their personal information stolen -- including Social Security numbers, bank account data and job site credentials -- thanks to a Trojan horse program that was planted in several advertisements running on the jobs sites. Some of these ads required a visitor to actually click on them before the Trojan could do its dirty work, while in other cases the Trojan appeared to swing into action as soon as the page hosting the ad was served, researchers found.

SecureWorks researcher Don Jackson said the Trojan was developed using a toolkit sold in black market forums under the name "icepack." The toolkit is similar to the Mpack toolkit that surfaced earlier this year. It generates Trojans that probe for the absence of several software security updates holes that then permit the program to deliver its viral payload. Among the many weapons in its arsenal are exploits for recently patched security vulnerabilities in Apple's QuickTime and Microsoft's Windows Media Player. It also includes exploits for multiple Web browsers, including Internet Explorer, Firefox and Opera.

SecureWorks classifies the Trojan as a variant of the Prg Trojan, a fast-evolving piece of malware that appears to have been developed in tandem by different criminal groups. Secure Science Corp., the San Diego company that first spotted the Prg Trojan in late 2006, has a very detailed analysis (PDF) of the way it operates and some theories about its creators.

Anti-virus maker Symantec Corp. has been monitoring the attacks, which the company attributes to a Trojan its software recognizes as "Infostealer.Monstres." According to Symantec, the malware steals sensitive data posted by victims to Monster.com and then relays that information to a Web site controlled by the attackers. The Trojan also directs a victim's PC to blast out junk e-mail.

Symantec's advisory doesn't say what that spam looks like, but SecureWorks's Jackson said the junk e-mails are typical work-at-home scams that include the Trojan as an attachment.

Part of the reason employment forums are being targeted may be that job search sites have truly massive numbers of visitors each day. But there appears to be another angle in play here: The scammers really are trying to recruit new employees.

Work-at-home scams propagated through e-mail are almost always recruitment schemes run by organized criminal groups. The groups typically troll job boards and forums looking for potential "mules," people who agree -- sometimes unknowingly -- to launder stolen funds or reship commercial goods on behalf of fraudsters.

Mule recruitment is an integral part of any modern cyber crime operation. Money transferred directly from a victim to an account controlled by criminals is easily traced by banks and law enforcement, so the mules serve as a vital buffer (they also almost always eventually get caught). Scam artists also launder money by purchasing electronics and other high-end items with stolen credit cards. But since retailers and credit card companies typically block transactions on items destined for regions of the world where e-fraud is extraordinarily high (think parts of Eastern Europe and North Africa), mules often agree to receive the merchandise on behalf of the fraudsters, and then forward the items overseas.

Recently, Security Fix stumbled across data indicating that criminal groups behind the Storm worm -- without a doubt the most prolific e-mail worm to surface in the past two years -- also are actively using their network of infected machines to recruit mules (Storm-infected PCs are the primary driver behind the recent massive spike in virus-infected e-greetings cards).

One security expert, who maintains a group of Storm-infected machines to monitor the spam and other criminal activity taking place over the network, said criminals were using the network of infected machines to blast out work-at-home spam from newly registered Hotmail and Gmail accounts. The source said he saw e-mails flowing over the network apparently from dozens of people responding to these work-at-home mule recruitment scams.

Monster.com officials could not be immediately reached for comment. I will update this post in the event I hear back from them.

In the meantime, if you're a regular user of jobs sites -- or, really, a regular user of the Internet -- make sure you have updated your computer with all the latest software patches. And never respond to solicitations sent to you in e-mail from an unverified source, and know that responding to spam messages is a bad idea, period.

By Brian Krebs  |  August 17, 2007; 4:20 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: A Heads-Up For Yahoo! Messenger Users
Next: Beware of Five-Star Vaporware

Comments

Hi Brian. Is it correct to refer to this as a virus, when perhaps it is more accurate to refer to this as a drive-by-downloaded exploit, written by cyber criminals, whose payload was trojan?

Patching is good advice, but most people don't do it reliably. How many people out there who downloaded Winzip 5 years ago have had any reason to seek out and install a security update? The solution (or the smart complement to patching you should mention) is the new breed of specialized anti-exploit safe surfing software packages that you've written about previously. Most of the major security vendors have them. Anti-virus software isn't enough, which is why I object to the "virus" term because it might mislead people into believing the solution to the virus problem is anti-virus.

Posted by: Mark | August 18, 2007 11:33 AM | Report abuse

@Mark:
Who cares what's 'correct'? You don't have time to chitchat over a glass of whisky about what the correct name is. Call it 'deadly', OK?

Posted by: Rick | August 19, 2007 9:58 AM | Report abuse

@Rick. Here's why 'correct' is important. If you mislabel things as viruses that *aren't* viruses, you deny readers the opportunity to gain actionable and useful knowledge from what is otherwise a solid story. If people think this is a virus problem (it isn't), then they'll think all they need to do to protect themselves is use anti-virus software (wrong conclusion). Case in point: Over 150,000 people infected by the MPACK exploit ( http://www.securityfocus.com/brief/529 ). Q. What percentage were using anti-virus software? A. Probably most. Q. What percentage thought that their AV software would protect them from exploits? A. Probably most (assuming they know what an exploit is). Until the media stop mislabeling the threats, the vast majority of the user community will remain confused or ignorant about the threats. This is one of the better security blogs anywhere. My comment was meant as a constructive suggestion. Nothing more.

Posted by: Mark | August 19, 2007 12:34 PM | Report abuse

@Mark....the media is blame for all these infections, the public's lack of action on important things like patching applications? Krebs's story is very careful to say in several places that the success of this attack was due to the fact that people aren't patching applications like Quicktime, etc.

Also, it explains that this is a Trojan horse. But who cares? Anti-virus software is designed to stop Trojans as well. Most people don't care whether its called a whoosiemagiggee or a thingeemabob: but they know it's bad, and they don't want it on their system. Your critique that people rely too much on antivirus is fine, but if people can't understand from this story the importance of patching, no amount of semantic (and to my mind useless) debate over whether something is a virus or a Trojan is going to advance the public understanding of this problem. What is needed is a more constant drumbeat of the sort Mr. Krebs advocates, emphasizing patch, patch, patch, and I think he accomplishes that in this piece.

Posted by: Anonymous | August 19, 2007 1:11 PM | Report abuse

Patching is key here as it stops a lot of these exploits cold, even if your AV does not detect it. Patching is a very important "layer" of protection!

Another drumbeat that needs to be played constantly: use a non-admin user account (limited user)!!! Again, another important layer of protection.

Problem is many people can't be bothered with this stuff. It's someone else's responsibility to secure their computer! Another example of the lack of personal responsibility in our society. And lack of critical thinking skills in general.

Posted by: TJ | August 19, 2007 8:15 PM | Report abuse

As a non-thinking user with a lot of programs on his machine, patching is a full time job. I'm glad a car is not a computer, yet.

I get fed up with programs that look for updates every 20 minutes at a cryptic IP address, as well as programs that never look for updates. If you don't use a program frequently it is off the radar. If not already, I'm sure someone will exploit the automatic update process.

Even a legitimate update makes me nervous since who knows what is being placed on your machine.

Posted by: Bud | August 20, 2007 9:40 AM | Report abuse

I would agree that this is one of the best security blogs out there, and I appreciate all of the research and information provided by Krebs. People complaining about patching is ridiculous. You have to fill up your car with gas every week, why not spend 30 minutes every week looking for and downloading updates. No one wants to run out of gas, no one wants their computer hacked and identity stolen. Brian, thanks for all you do and for your well written blogs!

Posted by: Donovan | August 20, 2007 10:27 AM | Report abuse

Does anyone know of any programs out there that can simplify the process of searching for updates on all of your programs? I know you can open up your programs and search for updates, but my in-laws have no idea how to do that and they NEVER update their computer. I spent a few hours running updates last week because they were having major issues, and their computer's running fine now. Any programs out there that simplify this process for people scared/lacking the knowledge of updating software?

Thanks.

Posted by: Jon M. | August 20, 2007 11:50 AM | Report abuse

Posted by: me | August 20, 2007 3:10 PM | Report abuse

http://secunia.com/software_inspector/

Will scan your computer and tell you what programs need updates and supply links to the updates.

Posted by: welshlion | August 20, 2007 4:58 PM | Report abuse

Brian gets kudos for posting this 1 day *before* a massive attack that lost 1.6M candidate records.


http://www.theregister.co.uk/2007/08/21/monster_trojan_steals_millions_of_records/

Posted by: Mike S. | August 21, 2007 1:15 PM | Report abuse

HOST INTRUSION PREVENTION. Problem solved (Okay, I will compromise on mitigated rather than solved). Behavior anomaly detection rather than (or in combination with) signature based detection.

Posted by: HIPSter | August 21, 2007 5:33 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company