James Galvin

I’ve mentioned Monster.com a few times since details of the big security breach first came out - when 1.6 million CV’s were swiped by hackers, leading to lots of spam and highly targeted scams. Most people didn’t pick up on the fact that this is nothing new for Monster. Because of the way their website is structured, with all the CVs up for grabs by anyone who can get a hold of an employer login, it is safe to bet that thousands of candidates every day have their private details leaked into some spammer’s database. No SQL injections or XSS required - just get access to one of the many thousands of employer accounts.

So I was surprised that Monster vowed to set things right by pledging a portion of their $80,000,000 upgrade to improving their security. I mentioned at the time that they could throw $80 billion at security upgrades, and it would still not make a difference to its users’ privacy without fundamentally changing the way the site works.

Regardless, throwing money at upgrading the security of the website should prevent any further embarrassments, right? According to The Register, attackers hijacked part of the website yesterday, using it to spread malware to the site’s visitors.

The outage affected the Monster Company Boulevard, said Exploit Prevention Labs’ Roger Thompson, who first noticed the site was inaccessible around 5 pm Monday East Coast time.

Several hours earlier, he discovered the site had been subject to an iFrame attack that was redirecting visitors to servers that hosted exploits from Neosploit, a nasty attack toolkit that competes with better-known packages such as MPack and Icepack.

This is gone beyond a joke. I’ll bet €50 that Monster will make headlines once again (for the wrong reasons) before the year is out.

 del.icio.us   |    digg it

This entry was posted on Wednesday, November 21st, 2007 at 1:45 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.