Security Incident
Incident: Monster.com (Confidential information of 1.3 million job seekers stolen and used in a phishing scam)
Date of incident: August 2007
Incident Background: The US recruitment site’s password protected resume library was hacked into by using servers of a Web hosting company and a group of targeted personal computers. Information belonging to job seekers was stolen and used by the perpetrators to send phishing mails seeking personal financial data of victims and downloading malicious software.
Analysis:
1) Information assets affected:
- Two servers of a web hosting company in Ukraine and a group of personal computers that the hackers controlled, after infecting them with a malicious software program
- Resume library/database of Monster.com which the hackers illegally hacked into using stolen login credentials (Monster.com user ID and password)
- Personal information of job seekers like names, e-mail addresses, birth dates, gender, ethnicity and, in some cases, users’ states of residence which were captured and uploaded by the hackers to a remote server
- Personal computers of users/victims/phishing targets that were infected with malicious software and blackmailed for revealing financial information like bank account numbers and payment demands lest they risked deletion of important data on their computers
2) Vulnerabilities:
- Storing sensitive user information like passwords in an unencrypted format (plaintext equivalent) in web databases
- Lack of security measures and upgrades despite previous attempts to hack into the database
- Lack of secure coding standards and unwillingness to take security of users’ personal information seriously
- Lack of end point protection, complex passwords, password policies, intrusion prevention detection and security monitoring
- Audit not conducted of Monster.com web infrastructure
3) Threats:
- The ‘Change Password’ feature did NOT ask for user’s old password. So anyone who finds an open session e.g. in an internet cafe, could change the password of that user and kidnap the account
- Poor interface, programming (input validation) and notifications targeted by perpetrators for stealing users’ data and login credentials
4) Impact:
- Resume data belonging to 1.3 million people/job seekers who had uploaded it on Monster.com was compromised
- Victims of phishing attack were held to file ransom and threatened to pay money lest they risked deletion of data on their targeted personal computer
- Monster.com lost between 200 and 300 job seekers and some employers’ accounts due to the issue
- Affected brand reputation and monetary losses
5) Existing safeguards or controls:
- Monster keeps the personal information that the user provides until informed by the user to not keep it any longer, or it deletes the information on a periodic basis if the user has not logged into the account for three years or more
- Users can select privacy settings to determine how much personal information from their resume do they want to be displayed publicly
- Conducting a comprehensive review of internal processes and procedures and working with law enforcement officials and appropriate regulatory agencies
- Proactively reaching out to all users who have resumes posted online to inform them about preventative measures that they can take to protect themselves from online fraud
- Implementing new robust capabilities for worldwide monitoring and surveillance of site traffic. Reviewing and tightening all site access policies and controls. Launching a series of targeted initiatives to protect job seeker contact information
6)
a) How the issue was tackled?
The company first learnt of the incident when investigators with Internet security company Symantec Corp (SYMC) told Monster that it was under attack. The Monster security team after its investigation located the rogue servers and got the Web-hosting company to shut them down. After it came to know that the hackers were also using the captured information for sending phishing E-mails, Monster put a notice on its Web site warning users they might be the target of E-mail scams. Monster also posted letters to the 1.3 million affected users in case the users were wary of opening e-mail from the company after the breach. Monster also deleted the user accounts which were used for illegitimate access.
b) Suggested controls
To protect the identity when using recruitment sites, or at least limiting exposure to identity theft:
- Users should limit the contact information to be posted online
- Use a separate disposable email address
- Users should never disclose sensitive details such as social security number, passport or driver’s license numbers, PAN, bank account information etc. to prospective employers until it is established that they are legitimate
For the site or service provider, it is important that they:
- Have security controls in place at the network and application level and make sure that applications provided on the Internet are monitored for any misusage
- Ensure that they are educating their users using their site on what information will officially come from them as a site provider
Name: Akshay Deshpande
About the author: Akshay is currently pursuing his MBA in IT Business Management at SCIT, Pune