Job seekers are likely to be familiar with monster.com, a popular job search and online recruitment web site that is the second largest job search engine in the US, with roughly 42 million job seekers per month posting their resumes on the website-that is about 42 million people willingly providing their contact details and additional personal information to be reviewed by potential employers.
Of course there is nothing wrong with this picture but then again a Trojan-assisted security breach happens and then you have big problems on your hands.

Recently, a new information-stealing Trojan has turned up, this time targeting monster.com subscribers. This new Trojan apparently logs in to monster.com using a compromised account that is meant for employers who want to review resumes. Once it has gained access, the Trojan harvests the information contained within monster.com resume database, siphoning off names, home and mobile phone numbers, home addresses and email addresses into a remote server.
The remote server contains a file counter.txt which lists the number of compromised resume entries.

As of now 1,599,675 entries have been compromised. It is possible that the Trojan was created to harvest email addresses for the use of spammers.

Trend detects this Trojan as TSPY_MAMAW.A. For security purposes, we advise users who subscribe to such online recruitment website to provide minimal contact information. When providing an email address, use one that is separate from the personal email address that you often use to avoid being spammed.

Stock spam seems to be growing no end. Most recently, stock spam came in such elaborate formats as PDF, XLS, FDF, and even highly obfuscated text that meant to make spam filters’ jobs harder. This shows that spammers are putting much effort in packaging their messages to see which ones work best. This time, however, they seem to be going back to basics with new samples of stock spam such as this:

The spammed email message contains only a link that points to a Yahoo! Finance page where stock information about a certain mobile solutions company is displayed.

With Yahoo name involved, spammers are clearly aiming to add more credence to the stock. Notably, the said page IS legitimate, according to Maria Estella Manly, a TrendLabs Antispam Research Engineer.

What users need to know, however, is that Yahoo! is not in the habit of sending out stock notices to promote certain companies that may or may not be willing subjects of spam campaigns. Manly adds that there are no indications that either the link or the site contains malware, but rather just part of another pump-and-dump scam.
So unwitting users who may have already clicked on the said link and were led to the site are not in actual danger of getting their machines infected, but they may be victimized nonetheless when they put their money into the company in question, in the belief that buying shares will prove profitable. Users need, as always, to exercise caution when dealing with financial matters, especially when conducted online. Perhaps they also need to remember that looks can be deceiving. Even if stock spam has started looking less cluttered, it still poses a risk that is no less simple.

TrendLabs has received reports of a malware strain, which encrypts all files ending with the following extensions:

• csv
• doc
• docx
• mdb
• mpl
• pps
• ppt
• pptx
• rar
• rtf
• txt
• vsd
• vst
• xls
• xlsx
• zip

Then it drops a ransom note named README_ASAP.TXT:

Dear User,

Thank you for using our service.
We’ve recently inspected your system and found out many critical security holes.
It’s not a joke, and it bring out clearly that we were able to crypt all of your text files, documents, archives and data files.

For your security we did it before than someone else: hacker, virus or just stupid vandal.
In world, hijackers are hunting for your bank account, credit card information, or something valuable.
Now, even if they’ll hack your computer they steal nothing, because all of your important files are now crypted and secured. There is no technology or scientific method to crack this kind of encrypting in near future Unfortunatelly as like other job, our services cost money. Just only 150$ US dollars. It is worth much less than if you loose all your files.
We accept only Western Union, and we garantee that your’ll receive decrypting program with detailed manual in less than hour after we’d received your payment.
If you need your information back, just send an email to:

XXXXX@XXXXXXXXXXXXXXXX

and we’ll send you further instructions in 5 minutes.

Do not worry, you’ll get all back in hour after we get Western Union Transfer details. ONLY IN ONE HOUR!!!

We are sorry for your inconvenience, but better we and less, than somebody and more.

Q. I didn’t order your service and dont want to pay! I’ll go to police!
A. It’s up to you. If you belive they do it better, then do it.

Q. I am poor studentbankrupthousewife. I dont have money.
A. It’a sad to hear.

Q. I’ve sent an email to you for a discount.
A. Sorry, but we can’t answer to all our correspondents due to high load.

Q. I need my information ASAP!
A. Dont worry! You will get it in one hour after we receive your MTSN. (western union control number)

Q. How i can trust you? Maybe you’ll rip me?
A. We understand if you send money for our work-your info important for you.And we don’t want make your life worse.You’ll certanly get the Decription Program.

Thank you,
Network Security Audit Plus

Users are then left with hundreds of unusable data, with no means of recovery as of yet. TrendLabs has identified the culprits to be TROJ_GPCODE.AB and TROJ_GPCODE.AC.

This routine is similar to the TSPY_KOLLAH.F attack reported last month, where various file formats were held “hostage” by encryption using the RSA-4096 algorithm method. Similarly, the earlier attack left a READ_ME.TXT file informing users that a certain software must be purchased to revert the encrypted files to their un-encrypted form. However, interesting to note is that this attack offers a cheaper price for its decryption software (for $150) than last month’s $300.

Ransomware has been defined as malware used for an extortion crime. Such malicious routines are nothing new as cases have been reported as early as 2005. However, they have remained low-key until now, indicating that ransomware may be on the rise.

In this regard, TrendLabs strongly advocates making back-up copies of your files, in case they get infected, deleted, stolen — or in this case, ransomed.

Mahou no iLand, a free home page service site, announced that their official Web site was attacked. A malicious program was injected to the said site. According to Mahou no iLand, the attack was detected last 5 July 2007 and they suspended all of their services on 17 July 2007.

A similar case happened to a well known company for mutual fund information where a malicious access to their Web site was also detected. These incidents only highlight the increasing number of cases of similar attacks.

The first half of 2007 brought a series of attacks that seem to herald what we now see as a recurring problem. Three incidents inevitably stood out from the rest. They arrived quietly, but they immediately sent alarm bells clanging:

• Super Bowl (January), where the Web site was compromised when hackers injected malicious scripts. It was believed that a lot of users may have been affected as the site was getting more visits because of the Super Bowl.
  
• ANI attacks, which were widely felt in Asia (March)
  
• Italian Job (June) was dubbed by Trend Micro as the fastest widespread malicious web attack worldwide.

It cannot get more global than this. As evidenced by these high-profile cases, US, Europe, and Asia have all been targeted. The attack on Mahou no iLand in Japan, only proves that this problem will continue to persist.

Meanwhile, users will just have to continue to be on the lookout for possible attacks. After all, prevention remains to be a fool-proof plan, and staying clear from those suspicious Web sites is a start.