Last Friday a SecureWorks researcher reported that they had discovered a new variant of the Prg Trojan infecting approximately 46,000 users of online job sites.

Since then, Symantec released information that Monster.com unknowingly became an agent to distributing Trojan.Monstres through the ads served on their Web site. According to Symantec spokesperson, Dave Cole, director of Security Response for Symantec, “This Trojan is different from the typical Trojans targeting banks, PayPal, etc. It uses a unique approach in that it harvests information obtained from Monster.com. We are working with Monster to eliminate this threat; they have already shut down many of the vulnerable access logins.”

According to a statement issued by Monster, “Monster is investigating the reports related to a piece of malicious software, called Infostealer.Monstres, that has been used to gather the login credentials of our legitimate customers, and use those credentials to log into Monster’s resume database in order to view resumes posted to Monster’s resume database.”

When a customer visits the site, an infected ad displayed in the users’ browser detects the browser and serves a specific attack for that browser. While an ad may have been clean when originally posted by Monster.com, the ad is swapped out with an infected one. The malware then uses a downloader Trojan to get onto a victim’s machine and download other threats.

After obtaining a legitimate user’s login access, the Trojan goes to an area where a recruiter saved searches, then downloads resumes. It siphons information from resumes such as name, address, phone numbers, and email addresses. With a built-in spam engine, it starts spamming victims (and perpetuating infections) with phishing emails from Monster.com. With the subject line reading “Monster Job Seeker,” it requests the victim to download a new tool.

Additionally, one of two other Trojans may be loaded on people’s systems: Bankers.c or GPcoder.e. Bankers.c waits for victims to log in to their online bank then captures their key strokes, including passwords. GPcoder.e, also known as ransom wear encrypts critical files so that when the victim tries to open the file they receive a message requesting monetary payment to decrypt their files -- essentially holding the victim ransom.

According to Monster, “We are investigating the reports related to this Trojan and will take all necessary steps to mitigate the issue, including terminating any account used for illegitimate purposes.”

IT administrators and end-users can protect their network by ensuring their anti-virus software is up to date, but how can publishers protect their visitors from possible infections from their ads? Cole advises “advertisers to scrutinize the code in their ads—even after they are posted. The best case scenario is to have a scripted means of simulating the ad as it appears to customers. Automatically test ads before anything happens.”

Deanne Hollis is the online editor of Computer Technology Review and Storage & Security.