Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Gameover Trojan Morphs to Target Monster and Careerbuilder Websites

The log-in credentials for a job-hunting site wouldn't seem to be all that valuable to criminals. But the real gambit comes with the second part of the attack
The log-in credentials for a job-hunting site wouldn't seem to be all that valuable to criminals. But the real gambit comes with the second part of the attack

Users of both Monster.com and CareerBuilder.com are now being targeted in a unified campaign that uses the bug to draw out personally identifiable information.

Gameover first nabbed headlines for nabbing people’s money back in 2012 when the FBI warned that a phishing campaign was delivering a new variant of the Zeus financial malware. A Zeus variant that came about after the Zeus source code was leaked in 2011, Gameover employs the traditional and configurable ‘man-in-the-browser’ injection technique where it can access the user’s bank details before they are encrypted and after they are decrypted. However, one of the main differences between Zeus and Gameover is that the latter is controlled via a distributed command-and-control infrastructure.

According to an F-secure analysis, the new gambit is using a fresh configuration file to carry out the dirty work. “A computer infected with Gameover ZeuS will inject a new ‘Sign In’ button [into the Monster.com sign-in page], but the page looks otherwise identical.”

In and of itself, the log-in credentials for a job-hunting site wouldn’t seem to be all that valuable to criminals. But the real gambit comes with the second part of the attack. After users authenticate to the faux page, they are then redirected again to a page with an injected form that appears to legitimately ask three security questions. These are selected and presented randomly from a list of 18, asking things like, “what are the last 5 digits / letters of your driver\'s license number?” or “what was the city where you were married?” These are typical security questions used by a host of financial sites and others – knowing the answers at Monster.com can thus help the crooks get by security at other sites, especially if the victim uses the same password for multiple services.

“HR recruiters with website accounts should be wary of any such irregularities. If the account is potentially tied to a bank account and a spending budget…it's a target for banking Trojans,” F-secure warned. “It wouldn't be a bad idea for sites such as Monster to introduce two factor authentication, beyond mere security questions.”

Recruiters with accounts on employment websites should be wary of irregularities on log-in pages, especially if those accounts are tied to bank accounts and spending budgets, the F-Secure researchers said. “It wouldn’t be a bad idea for sites such as Monster to introduce two factor authentication beyond mere security questions.”

Gameover has been steadily evolving. In February it came to light that the criminals behind the malware delivery system for the banking trojan are now encrypting their executable file so that as it doesn’t trigger common defenses.

Gary Warner, a researcher at Malcovery, explained that as it passes through firewalls, web filters, network intrusion detection systems and any other defenses that companies may have in place, it is doing so as a non-executable “.enc” file.

“If you are in charge of network security for your enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently,” he said, noting that Malcovery has seen this behavior “consistently” since late January. He said that it was alarming enough that he decided to share the information more broadly, sending copies of the malware to dozens of security researchers and to law enforcement.