OPM posts alert on USAJobs

Experts assessing fallout from USAJobs breach warn users to beware of scams

Large databases make attractive targets

Multiple Web sites that share the same back-end database, such as Monster.com’s résumé database, run a compounded risk of being breached by hackers, said Johannes Ullrich, director of the Internet Storm Center at the SANS Institute.

“If one of them gets compromised, they all get compromised,” he said, adding that one small breach can escalate into a much larger problem.

Résumés belonging to nearly 150,000 registered users of the Office of Personnel Management’s USAJobs Web site, which was breached by e-mail phishers this summer, are among millions on career site Monster.com’s résumé database.

“We don’t know exactly who got the information, but it looks like they got the USAJobs information unintentionally,” Ullrich said.

— Richard W. Walker

Download

Find a link to the Symantec blog that discusses the malware Infostealer.Monstres on FCW.com’s Download at www.fcw.com/download.

Office of Personnel Management officials say they are confident they can protect the personal information of job seekers on its USAJobs Web site, despite a recent malware attack on the site’s résumé database. OPM officials did not disclose specific steps the agency has taken to safeguard the data. The database runs on servers at career site company Monster.com.

In late August, OPM notified about 5 million USA-Jobs registered users of a data breach and warned users on the site not to provide personal information by responding to unsolicited e-mail messages. Those messages could be from phishing e-mailers — bad guys who send e-mail messages that appear to be from a legitimate agency or company to trick unsuspecting victims into disclosing personal information.

OPM reported on Aug. 29 that phishing e-mailers had gained unauthorized access to personal information stored in Monster.com’s résumé database. The phishers obtained contact information, including names, e-mail addresses and telephone numbers of 146,000 USAJobs subscribers but no Social Security or bank account numbers, OPM said.

“For example, if they know that this particular person applied for a job at a particular agency, they could fake a response from that agency.” Johannes Ullrich, SANS Institute

A security expert offered partially reassuring advice to people whose names were stolen from the résumé database. Johannes Ullrich, director of the Internet Storm Center at the SANS Institute, a security training and research company, said the information the phishers took was insufficient for identity theft.

“Typically, you don’t have Social Security numbers on Monster.com,” Ullrich said. “But the biggest danger is that the information they gathered can be used for more targeted attacks. For example, if they know that this particular person applied for a job at a particular agency, they could fake a response from that agency. The user then is more willing to do things like open attachments that may come with that e-mail.” E-mail attachments can contain harmful software.

The attack compromised the contact information of about 1.3 million Monster.com job seekers, Monster said in a statement Aug. 23. The stolen data was found on a rogue server, and the company shut down the server as part of an investigation of malicious software identified as Infostealer.Monstres, Monster officials said.

Monster apparently didn’t know about the rogue server until Symantec researchers discovered it Aug. 17. In a blog posted on Symantec’s Web site, Amando Hidalgo, a Symantec security analyst, said he and his colleagues found that Infostealer. Monstres was uploading Monster.com data to a remote server in Ukraine. They found more than 1.6 million entries with personal data belonging to several hundred thousand people and informed Monster, Hidalgo said.

Asked about Monster’s ability to protect personal data of USAJobs subscribers, OPM said in an e-mail response that “the Monster team’s work is closely coordinated with OPM and the USA-Jobs program office. The information has been and will continue to be safeguarded by” standards promulgated by the Office of Management and Budget and the National Institute of Standards and Technology.

OPM first learned of a problem July 20, when a Transportation Department employee reported a bogus e-mail message from USA-Jobs that appeared to be a phishing scam. DOT contacted OPM, which then notified Monster, OPM officials said. OPM immediately posted anti-phishing notices on USAJobs.

OPM officials said DOT also notified the Homeland Security Department’s U.S. Computer Emergency Readiness Team, as OMB requires.

Monster initiated timely actions to fix the vulnerability detected in the system, OPM officials said.

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above