Infected job search sites deliver 46,000 IDs to hackers

A cache of financial and personal data that was stolen from about 46,000 individuals by a variant of Prg, a Trojan program gaining notoriety for its quick-change behaviour, has been discovered by security researcher at SecureWorks.

Share

A cache of financial and personal data that was stolen from about 46,000 individuals by a variant of Prg, a Trojan program gaining notoriety for its quick-change behaviour, has been discovered by security researcher at SecureWorks.

The stolen data includes bank and credit card account information and Social Security numbers as well as usernames and passwords for online accounts. Many of the victims were infected and re-infected as they visited several leading online job search sites, including the popular Monster.com.

Don Jackson, the SecureWorks researcher who found the collection, said it was the largest single cache of data he discovered from the Prg Trojan, a piece of malware first seen in the wild in June. According to Jackson, the server he examined is still collecting stolen data, with up to 10,000 victims feeding it information at any particular time.

That server is one of 20 similar servers worldwide that are collecting and storing data stolen by Prg. Twelve of those servers - including the one with the large data cache - are being managed by a single hacking group known for naming their attacks after car manufacturers such as Bugatti, Ford and Mercedes, Jackson said.

SecureWorks is a managed security services provider. The "car group's" success in compromising and stealing information from so many individuals is based on two factors, Jackson said. The first factor appears to have been their success in widely distributing the malware. He says the group used online ad aggregation services to place infected ads on job-search services as well as other Web sites, he said.

A user clicking on one of the malicious ads is taken to an exploit page that "fingerprints" the user's browser and then serves up between one and four exploits designed to infect the user's system with the Trojan. From that point on, all information the user enters into the browser is captured and sent off to the hacking group's servers, Jackson said.

Find your next job with computerworld UK jobs