Home | ARTICLES | Why the Monster Breach Matters

Why the Monster Breach Matters

In ailing economy, job-seekers make good “phishing” targets

January 2009

Unlike many corporate data breaches, Monster.com’s most recent loss of sensitive consumer information didn’t involve credit card, debit card or Social Security numbers. The crooks got away only with some basic contact and login info: names, home addresses and telephone numbers, as well as usernames and passwords for the Monster site.

But don’t breathe a sigh of relief just yet. In an ailing economy, the hackers managed to obtain information that could lead to a more unconventional payday. While corporate officials haven’t yet put an official tally on the number of users whose information was stolen, one spokeswoman has alluded to the possibility that it consisted of Monster’s entire user base. With so much targeted information at their disposal, the hackers behind the Monster breach have an opportunity to kick their plan into a more lucrative second phase, one that could involve any of a number of feats of social engineering.

How might that be done?

Let’s look back at an earlier breach as a model—one involving none other than Monster.com. Back in August 2007, hackers managed to obtain e-mail addresses belonging to hundreds of thousands of the job site’s users. They copied Monster’s logo and sent victims official-looking e-mails that appeared to be coming from the company. This fraudulent correspondence contained links that installed malware on victims’ computers; one such piece of malicious software known as “ransomware” encrypted files and demanded money in exchange for access to users’ data.

Monster is aware of the dangers of an ensuing social engineering attack. On Jan. 28, it began requiring all site users to change their password upon site login. “We want to remind you that an email address could be used to target ‘phishing’ emails,” Senior Vice President Patrick Manzo wrote in a Jan. 23, 2009 statement. “Monster will never send an unsolicited email asking you to confirm your username and password, nor will Monster ask you to download any software, ‘tool’ or ‘access agreement’ in order to use your Monster account.” As a precaution, the company has begun requiring site users to change their password upon login.

What about those who may not have heard about the breach in the news or on the company’s web site? Citing a fear of providing an e-mail “template” to would-be phishers, Monster has declined to notify users individually. It seems like that would leave plenty of unsuspecting victims who, in the midst of an economic crisis, would be especially eager to open e-mails coming from a job-hunting web site.

What can consumers do to protect themselves?

Here are Monster.com’s suggestions:

•    Go to Monster.com and change personal passwords.

•    Do not respond to unsolicited e-mails regarding password changes from Monster (a password change should only come as the result of a visit to Monster’s site.)

•    Do not download any software “tools” or “access agreements” purporting to come from Monster.

Additionally, Identity Theft 911 recommends the following:

•    Ensure that your computer’s anti-virus software is up to date; scan regularly for malware or viruses.

•    Regularly back up your work. In the long run, doing so in inexpensive and time efficient compared to having your files potentially hacked into and taken for ransom.

•    If you receive what you suspect is a spoofed e-mail, contact the actual company that you believe has been spoofed, and inform them. That way, they can alert other consumers to the specific tactics employed by the scammers, and take steps to block such efforts.

•    If you have given any financial information to an unknown source, notify your banking or credit institution of potential fraud. Monitor your accounts closely for any fraudulent activity.

•    If you have evidence of falling victim to fraud, file a report with your local police.