For the second time in three months Monster.com has been hacked. Unlike the episode in late August when thieves gained access to personal information, this time the hack was intended to install malicious software on computers used by visitors to the site.
Somehow, hijackers gained access Monday to some of the pages on Monster Company Boulevard , an area where employers post corporate profiles. Code was surreptitiously installed on pages featuring Eddie Bauer, Toyota Financial Services and Best Buy, among others. Visitors to these pages were then unknowingly redirected away from Monster and to a site where software intended to exploit weaknesses in the user’s browser and operating system was installed.
Roger Thompson, chief technology officer at Exploit Prevention Labs, was among the first security experts to discover that pages on the Monster site had been hijacked. He posted a note about it on his blog Monday and credited Monster with taking Monster Company Boulevard offline. That part of the site was dark for several hours while Monster’s engineers worked to cleanse it of the malicious code.
Thompson was quoted in tech publications as explaining his company detected the hijacking of Monster pages via data it is sent from its LinkScanner product, which warns users when the Web page they are on may contain malicious code. The malicious software was identified as NeoSploit, so well encrypted that Thompson says it will take time to determine exactly what it is designed to do.
Generally, NeoSploit finds weaknesses that make it possible for hackers to install a program on the victim’s computer. Some of these may send back data such as sites visited and logins and passwords. This information can be used by hackers to loot accounts or set up phony identification. In other cases, the installed software lays dormant until triggered, at which time it may take over the computer to send out thousands of messages or requests for a certain webpage in what is known as a Denial of Service attack. Such attacks can be used to demand payment from the website owner.
Adds Sylven, “Because we believe this malware originated with an online crime group that targets leading web properties, we are providing as much information as possible about this situation to the appropriate law enforcement officials.”
Some online computer security publications have linked the Russian Business Network (RBN) to at least one of the sites to which users of the hijacked Monster pages were sent. The RBN is an online crime group.
In August, Monster admitted after security experts began reporting that as many as 1.6 million users of the site may have had contact information stolen. The thieves used the contact to send hundreds of thousands of emails that appeared to come from the job board. The emails asked users for sensitive information in some cases and in others directed them to a look-alike Monster site where they were asked to download software that turned out to be malicious.