Editorial: Monster in the Closet

Cyber-crime gets organized, goes legit

October 2007
The attack on Monster.com is the most terrifying identity theft exploit yet. It isn't just the hundreds of thousands of people potentially affected, or the financial impact, or even the fact that it potentially gave an underworld gang access to "secure" systems of the United States government in time of war. What makes the Monster attack so scary is what it tells us about how good the bad guys really are, how far we are from beating them, and how little the Powers That Be seem to care. 

It was 35 years ago that the film, The Godfather, invented the modern idea of the mob: bloody, to be sure, but run as strategically as any business and, in fact, more strategically than most. By comparison, some of today's criminal organizations are just as well ordered, and actually make Don Corleone's operation look quaint. The "new mob" employs hackers and network security experts, along with Wall Street investment managers and Ivy League-educated consiglieri. They're smarter, better organized and, in some cases, better financed than many mainstream companies, and all without having to pay taxes or to comply with Sarbanes-Oxley. Going legit? From their point of view, they're already there. 

Complacency is disaster's companion
Yet somehow, despite all evidence, we still think we're smarter than the criminals and we persist in underestimating them. When they get away with something, we think: they were lucky. When they get caught: it was inevitable. By the end of the show, we believe the forces of good will prevail, order will be restored, life will return to normal.

Wrong.

For proof, consider what a criminal gang called "the Glamorous Team" did to Monster.com.

Now, to judge by most press accounts, the Monster.com scam came down to two little words: file ransom. On September 17, job site Monster.com was notified of a hacker-controlled server in Eastern Europe containing personal data for more than a million Monster customers. "The Glamorous Team" had obtained the job- seekers' data using legitimate login info stolen from corporate and government recruiters, then sent them official-seeming phishing emails that appeared to come from Monster. 

Victims who clicked had their computers attacked in stages: A Trojan scanned the computer's defenses first, then downloaded a bundled series of malware programs specifically designed to overcome those defenses. Next, the program immediately double-encrypted the user's computer files, then sent an email (signed by "the Glamorous Team") demanding a ransom to unlock them.

It's not surprising that this garnered headlines. But the scheme involved other programs that were actually more effective, and more lucrative— notably one that captured victims' keystrokes and secretly recorded their passwords for online banking and other secure web sites.

On the "social engineering" side, too, the attacks were carefully calculated—so much so that 20 percent of recipients clicked their way into the trap, significantly more than the normal rate for a successful phishing scam.

If the "Glamorous Team" (also being human and thus prone to mistakes) hadn't left its own server unsecured, this complex scheme would have been very difficult to track and might never have been discovered. Was it the first of its kind? There's no way to know for sure, but it certainly won't be the last.

Well played
Unlike your typical database hacker, this group was not content to probe for a single vulnerability, exploit it, and get out of Dodge. From the very start—and apparently based on considerable experience—they came at this with a carefully conceived vision of a multifaceted fraud machine. Far more than a data breach, this intricate scheme generated a shadow economy in which the "Glamorous Team" played people, computers and companies like chess pieces on a grid of interlocking scams. The Wachowski brothers have nothing on this crew. Enter the Matrix? You're already there.

In fact, in a bizarre twist, Monster insisted that it hadn't been hacked, and it hadn't been—at least not in the customary sense. It's true that, for once, network security was not the weakest link in the chain. In this case, social engineering was infinitely more effective than any technical hack in exploiting Monster's weaknesses. The criminals were able to scurry away with at least 1.3 million pieces of sensitive data, not by smashing down the door, but by turning the key and walking in. Instead of merely breaking into a single server, they were able to co-opt the whole system on its own terms—either using phished or guessed passwords belonging to real recruiters or, possibly, posing as recruiters themselves. So while Monster wasn't hacked in the traditional sense, it is far from okay. In fact, the company may have a much larger problem to deal with than a traditional database breach. 

Familiar strains
The more things change, the more they stay the same. This part of the criminals' M.O. is actually a painful echo of the ChoicePoint debacle—a story we can assume the decision-makers at Monster knew well. In 2005, Americans learned that a massive but little-known consumer data vendor called ChoicePoint had put more than 160,000 people at risk of identity theft by providing their credit information to supposedly legitimate client businesses. Those clients were running a business, all right—a fraud ring that duped ChoicePoint into selling tens of thousands of consumer credit files to made-up companies. No one hacked ChoicePoint, either, but that was cold comfort to the victims. Nor did it help ChoicePoint, which is still in business, but only after spending $30 million in fines and other costs and being raked over the coals by Congress and the FTC.

Did consumers have a right to expect ChoicePoint—or Monster—to verify that their clients were actually legit before handing over people's personal information? Absolutely. Should the government require it? Of course, but don't hold your breath.

As bad as Choicepoint was, the recent incident at Monster was much worse. You see, Monster also operates the U.S. Office of Personnel Management's USAJobs.gov web site, where 2 million subscribers—146,000 of whom also had their data stolen—can post resumes and federal job openings. Most victims accessed Monster. com from work computers, and thousands of them worked for the Department of State, the Department of Transportation, or mammoth defense contractors like Hewlett-Packard and General Dynamics. Which means that every time one of those workers logged on to a secure government database, file server, or intranet, the Glamorous Team could have wound up with the password.

What are the criminals doing with this information? No one knows—and the government agencies and companies don't seem to care. None will discuss it, and most blew off explicit warnings from computer security firms. The Department of State and the Department of Transportation "did not take our calls seriously," said one. American Airlines reportedly promised to call back to discuss it "if we can find time ... but don't hold your breath."

Bottom line...
There's a very big problem here. If opportunities exist, they will be seized. That's capitalism, on both sides of the law. But what if the next "opportunity" is a joint venture between Crime Inc. and the Chinese military, or the ex-KGB leaders of the new Russian oligopoly? (Find stateless adversaries more threatening? Swap in the business-savvy jihadists of Al Qaeda.) There's no shortage of people keeping the United States in their strategic crosshairs. For them, access to government servers and secure data—or, for that matter, the ability to cozy up to and then blackmail a well-placed government employee— could advance their agenda in horrifying ways. On this front, mixing political motives with criminal means could prove disastrous.

"If you know neither the enemy nor yourself, you will succumb in every battle," said Sun Tzu in the third chapter of The Art of War. Two and a half millennia later, these words are still true. If we don't wake up and smell the coffee, we can look forward to a world where legitimate businesses cover their eyes and drag their feet while the crooks take the lead.

"Misunderestimating" a smart, skilled and determined enemy—whether the goal is criminal profit, political terrorism, or both—is a sure path to disaster. If it wasn't obvious before the Monster.com story broke, there can be no doubt now that in important ways, our adversaries have the edge. It doesn't help when the people who are supposedly on our side—the businesses, institutions, and agencies we trust to protect our identities—turn out to be unwilling or unable to do their part. It may not be easy, but the rest of us need to look them in the eye and give them a simple message: You need us more than we need you. Get it right and be straight with us about it, or we're gone. We don't need another Monster in the closet.