<<< NEWS FROM THE LAB - Tuesday, March 25, 2014 >>> ARCHIVES | SEARCH Gameover ZeuS Targets Monster Posted by Sean @ 11:57 GMT Recently, we obtained a current Gameover ZeuS configuration file and we noticed that in addition to CareerBuilder — Gameover now also targets Monster.



Here's the legit hiring.monster.com URL:







A computer infected with Gameover ZeuS will inject a new "Sign In" button, but the page looks otherwise identical:







And then the following "security questions" are requested via an injected form:







Here's the full list:



• In what City / Town does your nearest sibling live?

• In what City / Town was your first job?

• In what city did you meet your spouse/significant other?

• In what city or town did your mother and father meet?

• What are the last 5 digits / letters of your driver\'s license number?

• What is the first name of the boy or girl that you first dated?

• What is the first name of your first supervisor?

• What is the name of the first school you attended?

• What is the name of the school that you attended aged 14-16?

• What is the name of the street that you grew up on?

• What is the name of your favorite childhood friend?

• What is the street number of the first house you remember living in?

• What is your oldest sibling\'s birthday month and year? (e.g., January 1900)

• What is your youngest sibling\'s birthday?

• What month and day is your anniversary? (ie. January 2)

• What was the city where you were married?

• What was the first musical concert that you attended?

• What was your favorite activity in school?



A cookie called "qasent" is spawned by the process.



HR recruiters with website accounts should be wary of any such irregularities. If the account is potentially tied to a bank account and a spending budget … it's a target for banking trojans.



It wouldn't be a bad idea for sites such as Monster to introduce two factor authentication, beyond mere security questions.



—————



Analysis by — Mikko Suominen









