The Fallout From The Monster Hack

1,000 computers infected and files held to ransom.

The massive hack at Monster.com which took the details of several hundred thousand people, appears to have happened a few weeks ago, and now the dust is beginning to clear.   Many of those whose details were stolen received an e-mail, purporting to be from Monster, inviting them to download the Monster Job Seeker Tool. Those who did found they’d fallen victim to a ransomware Trojan that encrypted the files on their computer and stole personal data.   Shortly after that, the person would receive an e-mail from the hackers, calling themselves the Glamorous Team, including an attachment called read_me.txt that read:   “Hello, your files are encrypted with RSA-4096 algorithm. You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: [email address] and provide us your personal code [personal code]. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.”   According to Jacques Erasmus, director of malware research at UK-based security company Prevx, it was the worst attack he’d seen.   “It took us about six hours to reverse-engineer the [encryption] algorithm including testing,” said Erasmus. “We made two tools, one to decrypt the stolen data and one to decrypt the files for users.”   He was helped by the fact that he was able to access the dump site where the Glamorous Team had sent their data. That enabled him to learn that about 1,000 computers had been infected. But it wasn’t just home-based individuals who’d been victims. Others included US government departments and multinationals including Hewlett-Packard – total of  257MB of stolen data. Erasmus contacted the FBI and some of the seriously affected companies.   There was plenty of personal data, including an online passport application. The data was logged, even though users had been on a secure browser connections.   “There was an entire biometric profile of a government contractor in the stolen data – details such as eye colour, hair colour, exact measurements and weight,” said Erasmus. “What worried us more was the level of data that was compromised from large US corporations and government contractors. Logins to critical systems, databases and intranet logins were captured. This could be devastating.”   Prevx believes the hackers are based in Russia and are part of a bigger criminal network.