Would You Like A Job With That Virus?
Cyber crooks are targeting a wave of new attacks at people searching for jobs online, security experts warn. Oddly enough, the criminals behind this scam appear to be just as interested in hiring you as they are in hijacking your PC.
Over the course of the past few weeks, virus writers have set their sights on users of job search giant Monster.com and at least one other jobs site with tainted online advertisements designed to install malicious software on the visitors' machines, according to SecureWorks, an Atlanta-based security and research firm.
SecureWorks says that since May, more than 40,000 people have had their personal information stolen -- including Social Security numbers, bank account data and job site credentials -- thanks to a Trojan horse program that was planted in several advertisements running on the jobs sites. Some of these ads required a visitor to actually click on them before the Trojan could do its dirty work, while in other cases the Trojan appeared to swing into action as soon as the page hosting the ad was served, researchers found.
SecureWorks researcher Don Jackson said the Trojan was developed using a toolkit sold in black market forums under the name "icepack." The toolkit is similar to the Mpack toolkit that surfaced earlier this year. It generates Trojans that probe for the absence of several software security updates holes that then permit the program to deliver its viral payload. Among the many weapons in its arsenal are exploits for recently patched security vulnerabilities in Apple's QuickTime and Microsoft's Windows Media Player. It also includes exploits for multiple Web browsers, including Internet Explorer, Firefox and Opera.
SecureWorks classifies the Trojan as a variant of the Prg Trojan, a fast-evolving piece of malware that appears to have been developed in tandem by different criminal groups. Secure Science Corp., the San Diego company that first spotted the Prg Trojan in late 2006, has a very detailed analysis (PDF) of the way it operates and some theories about its creators.
Anti-virus maker Symantec Corp. has been monitoring the attacks, which the company attributes to a Trojan its software recognizes as "Infostealer.Monstres." According to Symantec, the malware steals sensitive data posted by victims to Monster.com and then relays that information to a Web site controlled by the attackers. The Trojan also directs a victim's PC to blast out junk e-mail.
Symantec's advisory doesn't say what that spam looks like, but SecureWorks's Jackson said the junk e-mails are typical work-at-home scams that include the Trojan as an attachment.
Part of the reason employment forums are being targeted may be that job search sites have truly massive numbers of visitors each day. But there appears to be another angle in play here: The scammers really are trying to recruit new employees.
Work-at-home scams propagated through e-mail are almost always recruitment schemes run by organized criminal groups. The groups typically troll job boards and forums looking for potential "mules," people who agree -- sometimes unknowingly -- to launder stolen funds or reship commercial goods on behalf of fraudsters.
Mule recruitment is an integral part of any modern cyber crime operation. Money transferred directly from a victim to an account controlled by criminals is easily traced by banks and law enforcement, so the mules serve as a vital buffer (they also almost always eventually get caught). Scam artists also launder money by purchasing electronics and other high-end items with stolen credit cards. But since retailers and credit card companies typically block transactions on items destined for regions of the world where e-fraud is extraordinarily high (think parts of Eastern Europe and North Africa), mules often agree to receive the merchandise on behalf of the fraudsters, and then forward the items overseas.
Recently, Security Fix stumbled across data indicating that criminal groups behind the Storm worm -- without a doubt the most prolific e-mail worm to surface in the past two years -- also are actively using their network of infected machines to recruit mules (Storm-infected PCs are the primary driver behind the recent massive spike in virus-infected e-greetings cards).
One security expert, who maintains a group of Storm-infected machines to monitor the spam and other criminal activity taking place over the network, said criminals were using the network of infected machines to blast out work-at-home spam from newly registered Hotmail and Gmail accounts. The source said he saw e-mails flowing over the network apparently from dozens of people responding to these work-at-home mule recruitment scams.
Monster.com officials could not be immediately reached for comment. I will update this post in the event I hear back from them.
In the meantime, if you're a regular user of jobs sites -- or, really, a regular user of the Internet -- make sure you have updated your computer with all the latest software patches. And never respond to solicitations sent to you in e-mail from an unverified source, and know that responding to spam messages is a bad idea, period.
Posted by: Mark | August 18, 2007 11:33 AM | Report abuse
Posted by: Rick | August 19, 2007 9:58 AM | Report abuse
Posted by: Mark | August 19, 2007 12:34 PM | Report abuse
Posted by: Anonymous | August 19, 2007 1:11 PM | Report abuse
Posted by: TJ | August 19, 2007 8:15 PM | Report abuse
Posted by: Bud | August 20, 2007 9:40 AM | Report abuse
Posted by: Donovan | August 20, 2007 10:27 AM | Report abuse
Posted by: Jon M. | August 20, 2007 11:50 AM | Report abuse
Posted by: me | August 20, 2007 3:10 PM | Report abuse
Posted by: welshlion | August 20, 2007 4:58 PM | Report abuse
Posted by: Mike S. | August 21, 2007 1:15 PM | Report abuse
Posted by: HIPSter | August 21, 2007 5:33 PM | Report abuse
The comments to this entry are closed.