Tuesday, September 4, 2007

USAJobs.gov Hit By Attack On Monster.com


USAJobs, the official job search site for the federal government, said Wednesday that more than 146,000 users had their account information stolen as a result of an attack on job search giant Monster.com earlier this month.


In mid August, attackers compromised Monster.com accounts gaining access to the company's resume database. With the help of a Trojan horse program targeted at Monster.com users, the attackers made off with the name, address, telephone number, and email address of at least 46,000 Monster.com users. Anti-virus giant Symantec later stated that as many as 1.6 million people may have had their information stolen in the attacks, which used e-mails that addressed recipients by their real names.


A snapshot of the letter Monster.com mailed to users affected by the attack.

Turns out that Monster Worldwide is the technology provider for USAJobs, which is run by the U.S. Office of Personnel Management. Peter Graves, an OPM spokesperson, said 146,000 USAJobs users were affected by the Monster.com attacks. Graves said OPM has received assurances from Monster that Social Security numbers were not compromised.


OPM is in the latter stages of alerting all two million USAJobs.gov users to be on the lookout for phishing scams that might try to take advantage of the stolen data to make their scam e-mails appear more legitimate. Graves said the first signs of the attack surfaced in July, after the organization received a complaint from a USAJobs user.


USAJobs users who receive a suspicious e-mail regarding a search are advised to forward it with the full header information to mayday@fedjobs.gov.


While it's nice to hear that Social Security numbers were not compromised in this attack, it's important to note that even an attack that compromises only names and e-mail addresses can be extremely useful for attackers in future scams. In April, Security Fix wrote about a highly successful phishing attack against Indiana University employees that was later determined to have been aided by a previous attack in which scammers made off with an e-mail address list of some 24,000 IU students and faculty. That attack netted up to 80 victims (while most phishing scams are spammed out to many thousands or millions of people, experts say it is unusual for scammers to haul in more than a few dozen victims).




Technorati :
Del.icio.us :
Ice Rocket :
Flickr :
Zooomr :
Buzznet :

No comments: