Companies that are recruiting new employees are being targeted through Monster Jobs. The bad guys are using malware called Gameover Zeus, security firm F-secure reported in a blog post which mentioned that the attack started with CareerBuilder and has been expanded to Monster.
First, a spear phishing attack takes over the workstation using social engineering and infects the machine with the Gameover malware.
The Gameover grabs information from website forms, very similar to a keylogger, and the username and passwords are stolen as they are typed.
The attack comes in two stages. The second step of the attack, the bad guys try to get the user to give out the information they miss to completely take control of the account. They use a a bogus security check form, and ask for the answer to a security question.
It is obvious that the bad guys are targeting specifically HR departments for two reasons:
- Take over their workstations, penetrate the HR software and implant phantom employees so that they can cash in on payments to these fake employees that were set up.
- If the account is tied to a bank account and has a spending budget, it's a target for banking Trojans
People in HR that use Monster and CareerBuilder should keep an eye out for Red Flags related to these websites and do some effective security awareness training. Dell SecureWorks counted 24,000 Gameover bots in July 2012. Also, it would not hurt if both sites would implement 2-factor authentication.