Monster.com Unknowingly Recruited Bots For Crime WorkMonster.com Unknowingly Recruited Bots For Crime Work

Without the company's permission, Monster.com was briefly recruiting new bots this week to work on behalf of cyber criminals.

The company confirmed Wednesday that malicious software was inserted on the site's Monster Company Boulevard pages, which allow job seekers to research companies, in order to surreptitiously turn visitors' PCs into zombies for spam and malware delivery.

"It seems that company.monster.com suffered some sort of iframe injection attack [on Monday]," said Roger Thompson, CTO of Exploit Prevention Labs in a blog post, noting that the employment ads for a number of major brands were affected, including Eddie Bauer, GMAC Mortgage, BestBuy, Toyota Financial, and Tricounties Bank.

The attack relied on a technique known as iframe injection. "Iframe tags are a kind of HTML tag," explains the StopBadware.org site. "An iframe creates a small 'window' on a Web page so that another Web page can load within the embedded window. Iframes are not always used for nefarious purposes; one frequent use, for example, is to embed a video into a blog post. When used by malicious hackers, an iframe can be made so small that it is invisible, and the visitor to the infected web page never knows that another page is also loading in the tiny iframe window."

Monster.com spokesperson Kathryn Burns confirmed the compromise and said that the company promptly removed and cleaned the affected Web pages.

"The malware was designed to make computers running it part of a spamming network," Burns said in an e-mail. "The virus is detectable by most major anti-virus software, and this issue should not affect users running Windows with the most recent security updates from Microsoft. In addition, we believe only an extremely small percentage of those using the site this week were potentially exposed prior to those pages being cleaned. Because we believe this malware originated with an online crime group that targets leading web properties, we are providing as much information as possible about this situation to the appropriate law enforcement officials."

This marks the second significant attack on Monster.com in recent months. In August, Symantec reported a new Trojan, called Infostealer.Monstres, which tries to capture personal information from Monster.com job seeker profiles using credentials that appear to have been stolen from legitimate recruiters. The stolen information is subsequently used to tailor phishing e-mails which, if opened and unwittingly triggered, can encrypt files on a victim's PC. Cyber criminals can then demand payment to restore the locked files.

Burns stressed that Monster.com remains committed to the integrity of its products and services and to the protection of its online visitors.