Monster.com confirmed this week that it took down a portion of its online job search service after attackers hacked the site and used it to feed exploits to visitors.
The company did not, however, explain how the hackers were able to hijack the site.
At the start of this week, researchers began reporting the attacks after detecting IFrame exploits on several Monster.com pages as well as attacks by a multi-exploit hacker tool kit originating from those pages.
By Monday evening, the Monster Company Boulevard, a section of the site that lets job hunters research firms and search for positions by company, was dark. Among the major US companies represented on the Boulevard are Boeing, Dow, Microsoft, Starbucks and Wal-Mart.
Job seekers who used that portion of Monster.com before the site was yanked were attacked by Neosploit, an exploit tool kit similar to the better-known Mpack, said Roger Thompson, chief technology officer at Exploit Prevention Labs. "A typical infective URL was http://company.monster.com/toyfs/, which is Toyota [Financial's section]," said Thompson in an instant message exchange Monday night. "Or http://company.monster.com/bestbuy, which is Best Buy's."
The injection of the malicious IFrame code into the Monster.com site probably happened Monday, he added. "It was interesting that we got five or so hits in the space of a few hours today, but none before that. I think it happened [Monday]," he said.
Like many other IFrame exploits, this one silently redirected users' browsers to another site hosting Neosploit. At least one of the exploit sites Thompson identified has a connection to the notorious Russian Business Network (RBN), the hacker and malware hosting network that recently shifted operations to China, then mysteriously abandoned the IP blocks it had acquired there.
The IP address of the exploit site is assigned to a server in Australia that is part of the "myrdns.com" domain, which, in turn, is registered to a Hong Kong Internet service provider called HostFresh Internet. Both HostFresh and myrdns.com have been linked to RBN activities, including the long-running IFrame Cash scheme, in which RBN pays website owners a commission for injecting IFrame exploits on other sites.
According to an anonymous blogger who tracks the RBN, other myrdsn.com/HostFresh IP addresses were involved in the Bank of India hack.
On Monday afternoon, Thompson said he had just started digging into the Monster.com hack. "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500," he said on his blog.
On Tuesday, Monster.com acknowledged the attacks but downplayed their extent. "A malicious attack inserted code into [some] pages, which could cause certain unprotected computer systems to download a virus," said Steve Sylven, Monster's public relations manager, in an email Tuesday afternoon.
"The virus is detectable by most major antivirus software, and this issue should not affect users running Windows with the most recent security updates from Microsoft. In addition, we believe only an extremely small percentage of those using the site this week were potentially exposed prior to those pages being cleaned."
Monster declined to answer questions about when the attack started, how many pages had been compromised or how the hackers gained entry to the site. It did, however, point a finger of sorts at the RBN, although it did not name it. "Because we believe this malware originated with an online crime group that targets leading web properties, we are providing as much information as possible about this situation to the appropriate law enforcement officials," Sylven added.
Monster.com last made security news in August, when it acknowledged that hackers had looted its database for weeks, perhaps for months, then used that information to craft and send targeted emails that pitched money laundering jobs or tried to trick recipients into downloading malware.
As it did then, Monster said on Tuesday that it is beefing up site security. "We remain committed to protecting our customers and site visitors," Sylven said. "We continue to reinforce our security systems every day as we respond to the constantly shifting security issues on the internet."