Researchers have discovered a new variant of the financial Trojan Gameover Zeus that specifically targets the worldwide employment website Monster.com. Users who are infected by this variant are at risk of having their Monster.com log-in credentials compromised.

How it Works

Gameover Zeus has long been known for its prowess as a financial Trojan. The malware usually spreads through targeted phishing emails, and once installed it can be used to perform fraudulent banking transactions and to connect users to botnets for DDOS attacks.

This new variant of the Trojan uses Man-in-the-Browser techniques to inject a fraudulent sign-in button and form into Monster.com’s sign-in page.

Users who click the fake sign-in button send their Monster.com username and password to the attacker. They are then redirected to a form with a series of fake security questions, such as “In what City / Town does your nearest sibling live?” and “What are the last 5 digits / letters of your driver’s license number?”

Why this is a Threat

In 2013, Zeus’s Gameover variant was responsible for approximately one-third of all computerized attacks on financial institutions.  Early last year, Zeus was also found connecting to LinkedIn, and just last month it was found circulating Salesforce.com. Zeus is dangerous because it enables direct, covert, theft of funds. In comparison, the collection of user log-in credentials and random facts gathered through fake security questions may seem trivial, but it is not.

• Someone who has stolen your Monster.com log-in credentials can log-on to your Monster.com account from anywhere, as the site does not feature two-factor authentication by default.
• If your Monster.com credentials have been reused on other websites, an attacker can log-on to those accounts too.
• Answers provided to fake security questions can be used to bypass legitimate security questions at other websites, to aid identity theft.

Threat Mitigation

Gameover Zeus usually spreads through targeted phishing emails. As such, if an email contains a suspicious attachment, don’t open it. In this regard, hiring managers with active Monster.com accounts are most at risk because they likely receive numerous emails with attached resumes on a daily basis and likely have a lot of information about a lot of people on their Monster.com account. Regardless, anyone with a Monster account is at risk.

If you are worried that your computer may be infected by this latest variant, our experts in the “Help, my PC is infected!” Emsisoft Forum are always ready and willing to help. Our removal service is free, even if you are not an Emsisoft customer yet.

Those running Emsisoft Anti-Malware are automatically protected from this threat. Although this is indeed a new variant of Zeus with a new signature, our Behavior Blocking Technology  can identify novel threats based on the way they interact with your computer.

Have a Great (Monster Malware-Free) Day!