Hundreds of thousands of job seekers are at risk of being ripped off through a sophisticated scheme concocted by Internet criminals who have penetrated the resume database at Monster.com, one of the nation's largest recruitment websites.
Using e-mail addresses, phone numbers and other personal information harvested from the job-hunting site, the crooks are posing as potential employers or as Monster.com itself in a bid to hustle the victims' bank account numbers and passwords.
The scheme came to light this week after a major computer security firm, Symantec Corp., reported on its website that it had found a hoard of 1.6 million personal records stolen from Monster.com on a computer in Ukraine.
By Wednesday, Monster.com had posted a warning on its online "security center" that scam artists were sending bogus job offers to its users in an effort to get their bank information.
"We're certainly going to try to notify all of our customers," Monster.com Vice President Patrick Manzo said, who added that Monster hadn't contacted law enforcement. No arrests have been made and are rare in online break-ins originating overseas.
The security breach is notable because of its complexity and its large size. Average computer users have grown accustomed to ignoring fraudulent come-ons for their bank information that purport to be from the likes of PayPal or CitiBank. But the Monster.com scheme is more convincing because the e-mails sent by the scam artists include personal information about victims' lives such as their cellphone numbers and street addresses.
"They are just trying to make it more legitimate by adding some secret information that they've stolen," said Patrick Martin, a senior product manager at Symantec. "We haven't seen too many like this."
Martin said the job pitches sent by scam artists were especially effective because Monster.com users were hoping to hear from strangers.
In interviews, Monster.com executives did not dispute Symantec's analysis of the multi-stage fraud operation.
Neither Symantec nor Monster.com would release the names of any victims, though Symantec estimated that the cache of records covered several hundred thousand people.
The criminal ring obtained passwords used by employers to scan Monster when looking to fill positions. Those passwords led them to records that included names, e-mail addresses and phone numbers of prospective employees.
At least three types of follow-up e-mails were sent to the job seekers, according to researchers at Symantec. One of the e-mails purports to come from an employer looking to fill a job facilitating money transfers and asks applicants to supply their own bank account information. Symantec said accounts would almost certainly be drained.
Two other e-mails appear to come from Monster.com itself and ask recipients to download an automated Monster Job Seeker Tool. Clicking on that link can download a program known as a keylogger into a victim's computer, giving the con artists access to financial account numbers and passwords. It can also download what's known as ransomware -- a program that encrypts the user's files and allows renewed access only for a fee.
Users of Monster.com can fill out electronic forms provided by the site or post completed resumes. Using the second method, some job seekers can include Social Security numbers, although Monster.com recommends against doing so. Manzo said it was possible that some of those crucial identifiers had been spirited away by the Internet thieves.
The initial attack echoes the debacle exposed two years ago at ChoicePoint Inc., the massive data broker spun off from one of the major credit bureaus. In that case, a Nigerian crook used a phony business to get information on 145,000 people, some of whom became victims of identity theft. Monster.com, likewise, missed the abuse of its system, perhaps in part because the site requires only a user name and password to log in. Manzo said Monster.com would soon demand more authentication from corporate users.
The follow-on scams aimed at individuals, on the other hand, exemplify a trend toward sophistication that has also targeted users of smaller websites and even employees of a single company. A number of cases investigated by Secure Computing Corp. of San Jose, a tech security firm, are similar to the Monster.com scam, if smaller.
In those incidents, online retailers, including some specializing in electronic goods, had their customer databases breached over the Internet, said Dmitri Alperovitch, principal research scientist at Secure Computing.
Instead of simply maxing out the customers' credit cards, he said, the crooks posed as the online retailers and were able to swindle the victims more than once.
In another technique, scam artists target only one company at a time. That makes it easier for them to pose as a colleague or customer and lets them dodge corporate filters that weed out malicious programs that have been widely deployed and discovered by security firms.