The Nation - Online job hunters become the prey - Thieves cull data from Monster.com, then aim for users' bank accounts.
Hundreds of thousands of job seekers are at risk of being ripped off through a sophisticated scheme concocted by Internet criminals who have penetrated the resume database at Monster.com, one of the nation's largest recruitment websites.
Using e-mail addresses, phone numbers and other personal information harvested from the job-hunting site, the crooks are posing as potential employers or as Monster.com itself in a bid to hustle the victims' bank account numbers and passwords.
The scheme came to light this week after a major computer security firm, Symantec Corp., reported on its website that it had found a hoard of 1.6 million personal records stolen from Monster.com on a computer in Ukraine.
By Wednesday, Monster.com had posted a warning on its online "security center" that scam artists were sending bogus job offers to its users in an effort to get their bank information.
"We're certainly going to try to notify all of our customers," Monster.com Vice President Patrick Manzo said, who added that Monster hadn't contacted law enforcement. No arrests have been made and are rare in online break-ins originating overseas.
The security breach is notable because of its complexity and its large size. Average computer users have grown accustomed to ignoring fraudulent come-ons for their bank information that purport to be from the likes of PayPal or CitiBank. But the Monster.com scheme is more convincing because the e-mails sent by the scam artists include personal information about victims' lives such as their cellphone numbers and street addresses.
"They are just trying to make it more legitimate by adding some secret information that they've stolen," said Patrick Martin, a senior product manager at Symantec. "We haven't seen too many like this."
Martin said the job pitches sent by scam artists were especially effective because Monster.com users were hoping to hear from strangers.
In interviews, Monster.com executives did not dispute Symantec's analysis of the multi-stage fraud operation.
Neither Symantec nor Monster.com would release the names of any victims, though Symantec estimated that the cache of records covered several hundred thousand people.
The criminal ring obtained passwords used by employers to scan Monster when looking to fill positions. Those passwords led them to records that included names, e-mail addresses and phone numbers of prospective employees.
