Seek.com.au targeted by e-mail harvesting tool
Security researchers have discovered an e-mail harvesting tool that was pre-configured to target Seek.com.au's candidate database — but a Seek executive claims its database is immune to such an attack.
The e-mail harvesting tool, which has been assessed by security researcher Dancho Danchev, attempts to pilfer candidate details from databases that are usually only accessible by advertisers. It is configured to attack 10 different recruitment sites — mainly based in the US and UK.
The tool relies on the availability of stolen passwords, likely acquired through targeted malware and keylogger attacks on potential advertisers, Danchev told ZDNet.com.au.
"The tool uses and logs onto the site as a registered user, in order to gain access to [information] normally restricted to [advertisers]. Going through some of the log files that I obtained, full names associated with e-mail addresses from certain sites were found," he said.
However, Seek product director Carey Eaton told ZDNet.com.au that even if an account had been compromised, Seek's databases are immune to the automated attack tool because of the way it structures advertiser access to its candidate databases.
"All those [US recruitment sites] offer casual advertisers résumé database products where customers can get wholesale access to the database of candidates — Seek does not have such a product and part of the reason we don't have one is because of this issue," said Eaton.
"Only trusted advertisers of a certain volume can get access to the résumé database. That's the first hurdle," he said. Also, advertisers can only search within specific categories relevant to previous job postings.
"For example, if you place an IT job in a certain location, you can only search the résumé database within IT in that location, so this means there is no such thing as doing a search on our entire database," he said.
But Danchev claims there is a risk: "Any database of any of the sites mentioned can be parsed to a certain extent — not the whole database, but significant parts of it... The idea behind the assessment was to raise awareness of the fact that automated tools are in the works, and how career Web sites should balance usability with security".
Seek's Eaton disagreed: "To use an automated tool to parse the database, it would have to post ads, and speak to customer service, so it fundamentally won't work."
Chris Gatford, senior security analyst for Pure Hacking, told ZDNet.com.au that Seek advertisers were recently targeted by phishers who were attempting to gain passwords to their Seek accounts to post job ads for money mules.
"Their rationale was that if you get an organisation like Commonwealth Bank advertising one of these money mule jobs, they would have more credibility and attract more people," said Gatford.
Seek's Eaton said fraudulent job advertisements is one area that Seek "throws resources".
"We throw resources — money and time — at the detection of fraudulent activity... For every new advertiser, we check that they are a human being. The key goal is to reduce the amount of fraudulent activity published to the Web site to zero, and to reduce the impact to job seekers."
"We are dealing with highly sophisticated criminal activity, generally around money laundering, identity theft, and fraud," he said.
Other recruitment sites targeted include CareerBuilder.com, ComputerJobs.com, MilitaryHire.com and Monster.com.