Worst Ever: Monster of a Breach

Monster.com attack holds bigger implications than meets the eye

October 2007
At first, the latest attack on Monster.com seemed like a simple little story. On Aug. 17, the company was notified that hackers accessed computers belonging to hundreds of thousands of its users, encrypted their files, and audaciously demanded $300 to unlock them. The headline was obvious: "High-profile employment website used for file ransom!"

For most media outlets, that was the beginning and end of the story. But strange details lingered. Prevx, the England-based Internet security company that discovered the attack, mentioned that huge corporations and American government agencies were somehow involved. Jacques Erasmus, director of research at Prevx, told anyone who would listen that this seemingly small computer breach was actually "the worst attack I have ever seen."

What Erasmus discovered, and what most news outlets failed to report, was a massive and sophisticated scheme that included stolen access to hundreds of thousands of private bank and credit accounts. It also may have compromised secure computer systems at the U.S. Department of State and major government contractors. This was smarter and more complex than many of the attacks that have come before—and was proof that the art of launching malicious online attacks had evolved.

Worse, most of the public agencies and corporations affected by the attack ignored warnings about the danger. "They pretty much blew us off," Erasmus says.

And here's the scary thing: The attack is continuing right now.

Anatomy of a scam
The first step in any scam is to find victims. This is where the criminals in the Monster.com fraud truly excelled. They exploited a weakness in the computer system that recruiters use to log in to Monster.com and search for potential job candidates.

"There was a flaw in Monster's system where it was quite easy to access their information," says Erasmus.

Monster.com did not return several phone calls seeking comment for this story.

Armed with access to recruiters' online accounts, the scammers attacked in two different directions at once: individual job seekers; and the giant government and corporate entities for which they worked.

Job seekers beware
Using stolen usernames and passwords, the scammers logged onto Monster.com's databases, posed as recruiters, and searched large numbers of resumes without setting off Monster's alarms. They stole 1.3 million pieces of information belonging to hundreds of thousands of users, Erasmus says, including names, email addresses, home addresses and Social Security numbers.

Included in the results were hits from USAJobs.gov, the database belonging to the Office of Personnel Management, which hires workers for many federal agencies. Monster.com runs the web site, said Peter Graves, spokesman for the office. According to Graves, of the two million people with resumes on USAJobs.gov, 146,000 had their personal information stolen in the attack. Social Security numbers were encrypted, which hopefully prevented them from being accessed, he added.

Next, the bad guys created an email message crafted to appear as though it came from Monster.com. Unlike many phishing messages, this one was well-written. It contained a convincing copy of Monster.com's logo and included hyperlinks to real websites maintained by Monster.

The only fake link was one described as a "job seeker tool." In fact, this was a Trojan horse. Clicking on it would download a small piece of software that scanned the victim's computer to see which operating system and antivirus programs the computer was running. Then, like an army scout whistling for the cavalry, the program invited larger Trojans designed to evade that computer's specific security settings.

"We call this a staged downloader," says Zulfikar Ramzan, senior researcher on the advanced threat research group at Symantec, the antivirus software company. "The leading edge of the attack is very narrow, and then you build from there."

One of the programs included ransomware. Once downloaded, it encrypted files on the computer, then sent an e-mail demanding the victim pay a ransom or the files would be deleted. The scammers signed off using a swashbuckling name: "The Glamorous Team."

It's unknown whether anyone actually paid the ransom, or how many people have been affected by locked files. Researchers at Prevx tried unlocking the files, which proved nearly impossible because the program used double-encryption. "Which is not very nice," Erasmus says.

It's easy to see why file ransom attracted so much attention. Having personal files held for ransom is a terrifying but easy-to-understand threat. And in this case it targeted users of a high-profile website. But since the first case was discovered in May 2005, file ransom never caught on as a popular tool among thieves. For one, very few victims actually pay the ransom. Also, thieves must establish a means to receive the money, leaving behind a trail of records that could expose them.

"File ransom is difficult to do in bulk, so there's a pretty low return on investment," says Don Hubbard, vice president of security and research at WebSense, a San Diego computer security company.

A quieter but far more powerful part of the Glamorous Team's scheme was to secretly download programs that record victims' keystrokes, Erasmus says. Whenever victims logged into their credit card or banking accounts online, the thieves watched over their shoulders, recording usernames and passwords. The thieves might have bundled these together with other identity information and sold it to other criminals on the black market, Ramzan says. Or they may have kept all the information to steal money from bank accounts, make purchases using victims' credit cards, and open new bank accounts in victims' names.

"They got enough information to do a lot of damage," says Ramzan.

Also part of the package: recruitment
The purpose of these schemes may be apparent in the Glamorous Team's last consumer-oriented scam: Posting ads on Monster.com to recruit "money mules"—people willing to launder stolen money. The ads called these workers "Transfer Managers" and boasted, "What we offer you is something more than just a job—it's the opportunity to earn really big money without having to work much. This job is not a full-time one—you can work from 9 to 5 at some other place and use our service as a source of extra cash—a lot of extra cash we should say."

Applicants handed over their Social Security numbers and bank account information, Ramzan says. But the truly suspicious part was the requirement that applicants open a new account at Bank of America. Mules would receive money from online funds transfers, deposit it in their new bank account, withdraw most of it and send it to the thieves via Western Union, Hubbard says, keeping a portion for themselves.

Of course, when the bank discovers it's been had, it's the mules, not the thieves, who are left holding the bag.

"You'd have to be really naive to be doing that and not think you're doing
something wrong," Hubbard says.

The fact that the Glamorous Team recruited money launderers suggests they probably plundered victims' accounts themselves, instead of selling account information to others, Ramzan says.

"When you see a mule scheme, it's an indication that there's been a lot of money stolen from other schemes that needs to be laundered out of the system," says Ramzan.

Glamorous? Maybe. Computer Geniuses? Not Quite.
Given the sophistication of this attack, it would be easy to assume that the Glamorous Team includes some of the smartest computer programmers in the world. In reality, the software used in the attack was relatively basic.

"I can just send it to you and hope that you open it up," says Ramzan. "That's much simpler than trying to get around your firewalls."

The Glamorous Team also made a major mistake: They forgot to secure their own server. That allowed Prevx to follow the stolen documents to their final destination and observe the types of information the hackers had gained access to.

"That was just a dumb blunder," Erasmus says.

The Glamorous Team was sophisticated in other ways, however. First, bundling so many different scams together was relatively unique, although Internet security researchers say it's part of a growing trend.

"We call this a blended threat," says LaTanya Sweeney, computer science professor at Carnegie Mellon University. "It's becoming increasingly common."

Second, the attack involved a sophisticated play on human emotions. Recruiters using Monster.com receive hundreds of resumes each day by opening attachments, which makes them vulnerable to attacks involving downloads, Ramzan says.

Job seekers also make vulnerable marks. "If someone is really unhappy with their job or without a job, they may not even think about the risks [of downloading unknown software] because the potential opportunity may outweigh it," says Dorothy E. Denning, professor of computer science at the Naval Postgraduate School.

Hitting vulnerable people with sophisticated e-mails, the Glamorous Team convinced 20 percent of their targets to download Trojan software, an almost unheard-of success rate (in most scams, a two-percent conversion rate is considered successful, says Erasmus). That meant that they could inflict about 14,000 computers with Trojans with approximately 70,000 emails, rather than the millions that would be required in a traditional scam. This low email volume allowed them to operate underground for weeks before being discovered.

The worst may be yet to come
While the individuals affected by the Monster attack have gotten the most media attention, the Glamorous Team had even bigger targets: Some of the largest corporations and government agencies in the United States.  What made these titans vulnerable? Their own dissatisfied workers.

Researchers at Prevx have files, obtained from the Glamorous Team's unprotected server, showing exactly which computers were accessed. They know that some of these machines had keystroke-stealing software secretly installed. But most of the companies, and all of the government agencies, never even bothered to ask which computers were compromised.

"Most of them just told us to get lost," Erasmus says.

All of the recruiters targeted in the attack, and most of the people applying for jobs, accessed Monster.com using their work computers, Erasmus says. If they clicked on the Glamorous Team's Trojan, they automatically downloaded software that captured their keystrokes, including passwords to secure intranets and databases. Those government and corporate computer systems may or may not have tools to identify and shut down such an attack. With the exception of USAJobs.com, none of the entities affected agreed to speak with Identity Theft 911.

Victims worked at huge government agencies, including the U.S. Department of State and the federal Department of Transportation, as well as some of the nation's largest defense contractors, including General Dynamics and Hewlett-Packard. Which means that when those workers left Monster.com, the Glamorous Team could have recorded their usernames and passwords as they logged into some of our nation's most sensitive military and intelligence databases and intranets.

This represents a potentially huge breach of national security. But so far, the government and its contractors refuse to discuss it. Four computers were infected at Booz Allen Hamilton, a major government contractor specializing in military and intelligence projects, according to files retrieved from the Glamorous Team's server. It's unknown whether the hackers were able to record keystrokes as the company's employees logged into sensitive computer systems.

"We just don't talk about our information security events at all," company spokesman George Farrar in response to Identity Theft 911's request for information.

Not all of the hacked computers belonged to government agencies or contractors. A General Dynamics employee was witnessed filling out his passport application online, Erasmus says. The Glamorous Team successfully downloaded malware onto computers belonging to American Airlines, Unisys and Partners Health Care.

"I remember American Airlines said, ‘If we can find time we'll call you, but don't hold your breath,'" Erasmus said.

Based on the information on the team's server, Erasmus couldn't tell which type of attack was launched against employees at American Airlines or any other company. But he did determine that the Glamorous Team gained access to an Office Max intranet, allowing them to pose as an Office Max store and order merchandise from the company's warehouses.

"The CIO at Office Max was quite shocked," Erasmus says. None of the companies involved returned calls seeking comment.

Nor were the federal agencies forthcoming about the attack. The State Department and the Department of Transportation "did not take our calls seriously," says Erasmus. "They said they didn't have any knowledge of any systems that were breached." Neither agency returned calls for this story.

Gone, but not finished
The Glamorous Team is no longer targeting job seekers on Monster.com, Ramzan says. The stolen and encrypted data from their unsecured server has been reclaimed, and the server was shut down by Yahoo.

But the attack continues, says Erasmus. The Glamorous Team continues to send out bundles of Trojan software, mostly using porn sites. And we still don't know how the team plans to use its stolen access to sensitive government and corporate computer systems. Are they waiting for the right time to strike? Are they right now—today—designing sophisticated scams to steal sensitive government information?

No one knows. We do know that the Glamorous Team is sophisticated, audacious and fearless. And, by all appearances, the U.S. government and major corporations are not taking the threat seriously.

More alarms ignored
The attack by the Glamorous Team also highlighted the inadequacies of our overburdened online security system, which is mostly handled by the large antivirus companies such as Symantec and McAfee. Each company employs hundreds of researchers like Ramzan, whose job is to analyze all the new programs distributed over the Internet every day and search them for malicious code. Most teams have about 200 people, Erasmus says, and they receive 12,000 files a day.

They simply can't keep up. "It took Symantec three days to detect [the Glorious Team virus] even after we sent them samples," Erasmus says. "There are too many malware files being produced daily. They can't handle everything, so there's a massive backlog."

Most people in the antivirus industry predict that the number of malicious applications being written and introduced every day will multiply in the next year to 18 months. No one knows how the industry will change to meet that rising challenge. In the meantime, more people will become victims of highly sophisticated scams, partially because their antivirus software cannot handle the load.

"I think the change will be accelerated by people saying, ‘Why the hell am I spending $90 a year for something that doesn't even work?'" says Erasmus.

Protect yourself from online attacks

It's simple to protect yourself from the next Glorious Team attack by following these rules:

• Be extremely cautious when you download files. Most corporations have stopped asking people to open unsolicited e-mails to download programs. If a company sends you an e-mail asking you to do this, call them first to make sure it's legit. Unfortunately, the same rule applies to e-mails from friends, since hackers often hijack personal computers to send spam.
• Regularly back up all of your files. USB drives and blank CDs are cheap. Take half an hour to copy your files onto one.
• If you do become the victim of an online scam, odds are you're not the only one. Go online to find advice on what to do. It's possible that a company like Prevx or WebSense already has created a program to fix the problem.