[an error occurred while processing this directive]
Low graphics|Accessibility help
BBC News
watch One-Minute World News
News Front Page
Africa
Americas
Asia-Pacific
Europe
Middle East
South Asia
UK
Business
Health
Science & Environment
Technology
Entertainment
Also in the news
-----------------
Video and Audio
-----------------
Programmes
Have Your Say
In Pictures
Country Profiles
Special Reports
RELATED BBC SITES
Last Updated: Tuesday, 21 August 2007, 10:01 GMT 11:01 UK
E-mail this to a friend Printable version
Monster attack steals user data
Monster
Monster is a leading online jobs service
US job website Monster.com has suffered an online attack with the personal data of hundreds of thousands of users stolen, says a security firm.

A computer program was used to access the employers' section of the website using stolen log-in credentials.

Symantec said the log-ins were used to harvest user names, e-mail addresses, home addresses and phone numbers, which were uploaded to a remote web server.

The stolen data could be used to send phishing and spam e-mails.

"This remote server held over 1.6 million entries with personal information belonging to several hundred thousands of candidates, mainly based in the US, who had posted their resumes to the Monster.com website," reported Symantec.

Security breach

The firm has contacted Monster.com to inform them of the security breach.

Symantec said it had seen reports of phishing e-mails sent out to Monster.com users which were "very realistic" and contained "personal information of the victims".

The e-mail encouraged users to download a Monster Job Seeker Tool, which was in fact a program that encrypted files in their computer and left a ransom note demanding money for their decryption.

"To the best of our knowledge, this is not a hack of Monster's security, rather, legitimate customer credentials are being used to log in to the database," said Patrick Manzo, vice president of compliance and fraud prevention at Monster.

He added: "There have been reports of this as an issue of identify theft.

"We are not aware of any cases of identity theft. In fact, the information that is gathered from Monster is no different than that displayed in a phone book."

The program used to access Monster.com user data was a Trojan, which are commonly used to gain access to bank details, usernames and passwords.

More than 8,000 new variants of Trojans are found each month, according to internet security specialists Sophos.

Last year, a British nurse was blackmailed by hackers who had used a Trojan to access her personal e-mails.

They threatened to reveal personal details unless she paid them.

Symantec said users should always limit contact information posted to job websites and to use a disposable e-mail address.

"Never disclose sensitive details such as your social security number, passport or driver's license numbers, bank account information to prospective employers until you have established they are legitimate," said the firm.

E-mail this to a friend Printable version

SEE ALSO
Woman targeted by web hackers
31 May 06 |  Manchester
Extortion virus code gets cracked
01 Jun 06 |  Technology
Watching out for Trojans
27 Jun 07 |  UK
Hi-tech crime: A glossary
05 Oct 06 |  UK
Trojan holds PC files for ransom
25 May 05 |  Technology

RELATED INTERNET LINKS
Symantec response to Monster attack
Monster
Monster Security Centre
The BBC is not responsible for the content of external internet sites

TOP TECHNOLOGY STORIES
US lifts lid on WikiLeaks probe
Bing gains market share in search
'Virtual human' makes Xbox debut


FEATURES, VIEWS, ANALYSIS
Horses sculpture in memory of Genghis Khan, Ordos, Inner Mongolia Ghost town
Has China's housing bubble burst?
Afo - the world's oldest clove tree The guerilla plant
How the world's oldest clove tree defied an empire
Sergei Polunin Walking away
Why Royal Ballet principal Sergei Polunin quit

PRODUCTS & SERVICES

Americas Africa Europe Middle East South Asia Asia Pacific