NEWS FROM THE LAB - Tuesday, March 25, 2014

Gameover ZeuS Targets Monster Posted by Sean @ 11:57 GMT

Recently, we obtained a current Gameover ZeuS configuration file and we noticed that in addition to CareerBuilder — Gameover now also targets Monster.

Here's the legit hiring.monster.com URL:


A computer infected with Gameover ZeuS will inject a new "Sign In" button, but the page looks otherwise identical:

hiring.monster, gameover

And then the following "security questions" are requested via an injected form:

hiring.monster, gameover question injection

Here's the full list:

  •  In what City / Town does your nearest sibling live?
  •  In what City / Town was your first job?
  •  In what city did you meet your spouse/significant other?
  •  In what city or town did your mother and father meet?
  •  What are the last 5 digits / letters of your driver\'s license number?
  •  What is the first name of the boy or girl that you first dated?
  •  What is the first name of your first supervisor?
  •  What is the name of the first school you attended?
  •  What is the name of the school that you attended aged 14-16?
  •  What is the name of the street that you grew up on?
  •  What is the name of your favorite childhood friend?
  •  What is the street number of the first house you remember living in?
  •  What is your oldest sibling\'s birthday month and year? (e.g., January 1900)
  •  What is your youngest sibling\'s birthday?
  •  What month and day is your anniversary? (ie. January 2)
  •  What was the city where you were married?
  •  What was the first musical concert that you attended?
  •  What was your favorite activity in school?

A cookie called "qasent" is spawned by the process.

HR recruiters with website accounts should be wary of any such irregularities. If the account is potentially tied to a bank account and a spending budget … it's a target for banking trojans.

It wouldn't be a bad idea for sites such as Monster to introduce two factor authentication, beyond mere security questions.


Analysis by — Mikko Suominen