Phony Job Ad Nets More Stolen Identities

Last week, a security company reported that it found about 100,000 stolen identities hidden away in a dozen caches spread across the globe. Now it seems that number may be a fraction of the amount that hackers have stolen and socked away.

Researchers at Symantec have found another major database of information. This one contains 1.6 million pieces of facts such as names, addresses, mobile phone numbers, and name of employers. The number correlates to data pieces, not 1.6 million victims, said Dave Cole, director of Symantec's Security Response team.

It's still unclear how many stolen identities -- how many victims of identity theft -- the information in that cache represents, added Cole.

"This is a spammer's dream," Cole said in an interview with InformationWeek. "You've all this fresh data. ... We see stolen data all the time. In terms of shock value, this is a lot of data, for sure. Is it the most complete data we've ever seen? No, I don't think so."

This new cache of stolen data seems to be connected to the 12 caches that security researchers at SecureWorks reported finding last week. The data is apparently being stolen and stockpiled by one hacker group using the latest variance of the Prg Trojan, which also is known as Ntos, Tcp Trojan, Zeus, Infostealer.Monstres, and Banker.aam.

The largest cache that SecureWorks found contained the stolen identities of 46,000 people.

The stolen data, which includes bank and credit card account information, Social Security numbers, online payment account user names, and passwords, comes from victims who were all individually infected with the Trojan beginning in early May.

Don Jackson, a researcher with security company SecureWorks, said in an interview that the latest variant of the Prg Trojan has been running on fraudulent ads on at least two online job sites. One, he said, is Monster.com. Representatives from Monster did not return a request for an interview.

Symantec's Cole, who said Monster has been working with his company on the case, added that legitimate Web sites are often conned into running phony and malicious ads. "These types of attacks can happen to pretty much any kind of site," he said. "Complex and robust Web sites are pulling information from different areas. Presenting a safe and secure commercial site ... is a lot harder than it used to be."

A spokeswoman for SecureWorks pointed out that the hackers seem to be using different attack vectors -- both malicious ads and e-mails that are being sent to Monster users.

Cole also said he's not seeing nearly as much activity going on now for the Prg Trojan and thinks the hackers have gone underground to ride out some of the media and security attention they're getting right now.

"It may pop back up when the coast is clear," he added. "It's reasonable to say it's a lot of the same people using different tactics. They'll probably go quiet for a while and then pop back up on another site."