back to article Trojan trawls recruitment sites in ID harvesting scam

Hackers have turned the harvesting of personal information from and other large US jobsites into a lucrative black market business A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including, AOL Jobs,,, …


This topic is closed for new posts.
  1. Gordon Pryra

    Great Idea!!

    Now someone needs to explain to them pesky Ruskies that 99% of the data they harvest is, at best, half truths and at worst, total lies :)

  2. Mathew White

    UK as well

    I uploaded my CV to and had is a a private view only. Within a week the amount of spam targeted to my name/email combo on the CV had quadrupled. As they state - they are not responsible for any of your private data that you upload to them.

    I wrote to monster about it and their response was:

    "We understand that this type of communication may be frustrating, especially as the opportunity that the company is offering may not be something in which you are interested. However, we would like to reassure you that Monster takes all instances of “blanket mailing” or spam very seriously. We are always ready to take action against users who do not comply with our stated guidelines.

    While we cannot guarantee that third parties will gain unauthorized access, we do attempt to limit access to our searchable resume database to employers, recruiters, hiring managers, headhunters, and human resource professionals. As delineated in Monster’s Privacy Statement (, we are not responsible for the use made of resumes by third parties who access such resumes while they are in our searchable database."

    They also asked for me to provide the headers for the emails. (a little silly assuming that the spam was probably sent via some form of abstraction - say a botnet.)

    I think its time for there to be some thinking about how companies that hold large quantities of data on individuals behave. Most seem to be pretty complacent.

  3. Rob

    Might be better...

    Hackers will probably do a better task of matching you to a job than the useless job agencies out there.

  4. Steve

    It needs rebranding

    Call it RecruitBot 2.0 and go into competition with the crappy job agencies - they can't do any worse.

  5. Anonymous Coward

    Monster response! (@"UK as well")

    >"While we cannot guarantee that third parties will gain unauthorized access, [ ... ]"

    ... you'd better bloody plan on it because our security SUCKS!


  6. Quirkafleeg

    “While we cannot guarantee that third parties will gain unauthorized access”

    Monster, tie a 'not in it.

  7. Andy Mabbett


    "A CAPTCHA is a type of challenge-response test designed to distinguish between requests from an automated program and a human. "

    No: A CAPTCHA is a type of challenge-response test designed to distinguish between requests from an automated program and a human who is not visually impared.

  8. Anonymous Coward

    Monster not taking it seriously enough

    A couple of months back I had a unique email address harvested from Monster and subsequently used by the RockPhish enterprise to tout money-laudering roles (typically "Green Tree" spam). When I contacted Monster, they took many days to respond, and did not seem to acknowledge the seriousness of my allegation that my *monster-unique* address had been harvested, and just gave a fairly bland cut-and-paste reply.

    In the past couple of days I've had a new deluge of phoney-Monster mailings to a more generic email addy. I haven't yet established whether there's a real link between these and Monster-harvested data, or whther it's just a 'lucky try'...

  9. Matthew Elvey

    Sue 'em?

    I sued TD Ameritrade for violating their privacy policy, in failing to prevent their customer database from being obtained by hackers. It is a more serious case; they've already offered $1.9MM in plaintiff's attorney's fees alone to settle the case.

    It's much harder for Monster to keep crooks out of its database than AMTD... How would monster do so? I.e. how would it differentiate between a faux firm set up to look like a normal company looking for staff, and a real one? Reliably? At reasonable cost?

  10. A J Stiles

    Why is this news?

    Why is this news, and why do they need to use bots to do this?

    Just do a search for "curriculum vitae.doc" on Google. Plenty of personal information for the taking (albeit in a nasty proprietary format; anyone applying for a job here would get short shrift ).

    I think it shouldn't be too difficult to set up a website where you first have to upload an OpenPGP public key; once you have done that, documents -- encrypted using that key -- become available for download. That would at least provide some measure of traceability: an OpenPGP key is a bit more concrete than an IP address.

This topic is closed for new posts.

Other stories you might like