Trojan trawls recruitment sites in ID harvesting scam Hackers have turned the harvesting of personal information from Monster.com and other large US jobsites into a lucrative black market business A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, …
I uploaded my CV to monster.co.uk and had is a a private view only. Within a week the amount of spam targeted to my name/email combo on the CV had quadrupled. As they state - they are not responsible for any of your private data that you upload to them.
I wrote to monster about it and their response was:
"We understand that this type of communication may be frustrating, especially as the opportunity that the company is offering may not be something in which you are interested. However, we would like to reassure you that Monster takes all instances of “blanket mailing” or spam very seriously. We are always ready to take action against users who do not comply with our stated guidelines.
While we cannot guarantee that third parties will gain unauthorized access, we do attempt to limit access to our searchable resume database to employers, recruiters, hiring managers, headhunters, and human resource professionals. As delineated in Monster’s Privacy Statement (http://about.monster.co.uk/privacy/), we are not responsible for the use made of resumes by third parties who access such resumes while they are in our searchable database."
They also asked for me to provide the headers for the emails. (a little silly assuming that the spam was probably sent via some form of abstraction - say a botnet.)
I think its time for there to be some thinking about how companies that hold large quantities of data on individuals behave. Most seem to be pretty complacent.
"A CAPTCHA is a type of challenge-response test designed to distinguish between requests from an automated program and a human. "
No: A CAPTCHA is a type of challenge-response test designed to distinguish between requests from an automated program and a human who is not visually impared.
A couple of months back I had a unique email address harvested from Monster and subsequently used by the RockPhish enterprise to tout money-laudering roles (typically "Green Tree" spam). When I contacted Monster, they took many days to respond, and did not seem to acknowledge the seriousness of my allegation that my *monster-unique* address had been harvested, and just gave a fairly bland cut-and-paste reply.
In the past couple of days I've had a new deluge of phoney-Monster mailings to a more generic email addy. I haven't yet established whether there's a real link between these and Monster-harvested data, or whther it's just a 'lucky try'...
I sued TD Ameritrade for violating their privacy policy, in failing to prevent their customer database from being obtained by hackers. It is a more serious case; they've already offered $1.9MM in plaintiff's attorney's fees alone to settle the case.
It's much harder for Monster to keep crooks out of its database than AMTD... How would monster do so? I.e. how would it differentiate between a faux firm set up to look like a normal company looking for staff, and a real one? Reliably? At reasonable cost?
Why is this news, and why do they need to use bots to do this?
Just do a search for "curriculum vitae.doc" on Google. Plenty of personal information for the taking (albeit in a nasty proprietary format; anyone applying for a job here would get short shrift ).
I think it shouldn't be too difficult to set up a website where you first have to upload an OpenPGP public key; once you have done that, documents -- encrypted using that key -- become available for download. That would at least provide some measure of traceability: an OpenPGP key is a bit more concrete than an IP address.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
