Recently, we obtained a current Gameover ZeuS configuration file and we noticed that in addition to CareerBuilder — Gameover now also targets Monster.
Here's the legit hiring.monster.com URL:
A computer infected with Gameover ZeuS will inject a new "Sign In" button, but the page looks otherwise identical:
And then the following "security questions" are requested via an injected form:
Here's the full list:
• In what City / Town does your nearest sibling live? • In what City / Town was your first job? • In what city did you meet your spouse/significant other? • In what city or town did your mother and father meet? • What are the last 5 digits / letters of your driver\'s license number? • What is the first name of the boy or girl that you first dated? • What is the first name of your first supervisor? • What is the name of the first school you attended? • What is the name of the school that you attended aged 14-16? • What is the name of the street that you grew up on? • What is the name of your favorite childhood friend? • What is the street number of the first house you remember living in? • What is your oldest sibling\'s birthday month and year? (e.g., January 1900) • What is your youngest sibling\'s birthday? • What month and day is your anniversary? (ie. January 2) • What was the city where you were married? • What was the first musical concert that you attended? • What was your favorite activity in school?
A cookie called "qasent" is spawned by the process.
HR recruiters with website accounts should be wary of any such irregularities. If the account is potentially tied to a bank account and a spending budget … it's a target for banking trojans.
It wouldn't be a bad idea for sites such as Monster to introduce two factor authentication, beyond mere security questions.