Hackers have turned the harvesting of personal information from Monster.com and other large US jobsites into a lucrative black market business A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, …
Now someone needs to explain to them pesky Ruskies that 99% of the data they harvest is, at best, half truths and at worst, total lies :)
UK as well
I uploaded my CV to monster.co.uk and had is a a private view only. Within a week the amount of spam targeted to my name/email combo on the CV had quadrupled. As they state - they are not responsible for any of your private data that you upload to them.
I wrote to monster about it and their response was:
"We understand that this type of communication may be frustrating, especially as the opportunity that the company is offering may not be something in which you are interested. However, we would like to reassure you that Monster takes all instances of “blanket mailing” or spam very seriously. We are always ready to take action against users who do not comply with our stated guidelines.
While we cannot guarantee that third parties will gain unauthorized access, we do attempt to limit access to our searchable resume database to employers, recruiters, hiring managers, headhunters, and human resource professionals. As delineated in Monster’s Privacy Statement (http://about.monster.co.uk/privacy/), we are not responsible for the use made of resumes by third parties who access such resumes while they are in our searchable database."
They also asked for me to provide the headers for the emails. (a little silly assuming that the spam was probably sent via some form of abstraction - say a botnet.)
I think its time for there to be some thinking about how companies that hold large quantities of data on individuals behave. Most seem to be pretty complacent.
Might be better...
Hackers will probably do a better task of matching you to a job than the useless job agencies out there.
It needs rebranding
Call it RecruitBot 2.0 and go into competition with the crappy job agencies - they can't do any worse.
Monster response! (@"UK as well")
>"While we cannot guarantee that third parties will gain unauthorized access, [ ... ]"
... you'd better bloody plan on it because our security SUCKS!
“While we cannot guarantee that third parties will gain unauthorized access”
Monster, tie a 'not in it.
"A CAPTCHA is a type of challenge-response test designed to distinguish between requests from an automated program and a human. "
No: A CAPTCHA is a type of challenge-response test designed to distinguish between requests from an automated program and a human who is not visually impared.
Monster not taking it seriously enough
A couple of months back I had a unique email address harvested from Monster and subsequently used by the RockPhish enterprise to tout money-laudering roles (typically "Green Tree" spam). When I contacted Monster, they took many days to respond, and did not seem to acknowledge the seriousness of my allegation that my *monster-unique* address had been harvested, and just gave a fairly bland cut-and-paste reply.
In the past couple of days I've had a new deluge of phoney-Monster mailings to a more generic email addy. I haven't yet established whether there's a real link between these and Monster-harvested data, or whther it's just a 'lucky try'...
It's much harder for Monster to keep crooks out of its database than AMTD... How would monster do so? I.e. how would it differentiate between a faux firm set up to look like a normal company looking for staff, and a real one? Reliably? At reasonable cost?
Why is this news?
Why is this news, and why do they need to use bots to do this?
Just do a search for "curriculum vitae.doc" on Google. Plenty of personal information for the taking (albeit in a nasty proprietary format; anyone applying for a job here would get short shrift ).
I think it shouldn't be too difficult to set up a website where you first have to upload an OpenPGP public key; once you have done that, documents -- encrypted using that key -- become available for download. That would at least provide some measure of traceability: an OpenPGP key is a bit more concrete than an IP address.
- Product round-up Too 4K-ing expensive? Five full HD laptops for work and play
- Review We have a winner! Fresh Linux Mint 17.1 – hands down the best
- Vid Antarctic ice THICKER than first feared – penguin-bot boffins
- 'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
- You stupid BRICK! PCs running Avast AV can't handle Windows fixes