Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Users infected as they search for jobs

Quick-change Trojan hits job sites.

Article comments

A security researcher at SecureWorks has uncovered a data cache stolen by a variant of Prg, a Trojan program. Many of the victims were infected by visiting jobsearch sites, including

The stolen data, which was taken from about 46,000 individuals, includes bank and credit card account information and Social Security numbers, as well as usernames and passwords for online accounts.

Don Jackson, the SecureWorks researcher who found the collection, said it was the largest single cache of data he discovered from the Prg Trojan, a piece of malware first seen in the wild in June. According to Jackson, the server he examined is still collecting stolen data, with up to 10,000 victims feeding it information at any particular time.

That server is one of 20 similar servers worldwide that are collecting and storing data stolen by Prg. Twelve of those servers - including the one with the large data cache - are being managed by a single hacking group known for naming their attacks after car manufacturers such as Bugatti, Ford and Mercedes, Jackson said.

The "car group's" success in compromising and stealing information from so many individuals is based on two factors, Jackson said. The first factor appears to have been their success in widely distributing the malware. He says the group used online ad aggregation services to place infected ads on job-search services as well as other websites, he said.

A user clicking on one of the malicious ads is taken to an exploit page that "fingerprints" the user's browser and then serves up between one and four exploits designed to infect the user's system with the Trojan. From that point on, all information the user enters into the browser is captured and sent off to the hacking group's servers, Jackson said.

The other reason for the widespread compromises is the group's sheer industry - they've been releasing a new variant of the Trojan every five days to a week, on average, and sometimes even quicker. Anti-virus tools are having a hard time keeping up with the variants, Jackson said, so infections are going undetected for several weeks in many cases. Many of those whose data has been stolen appear to have been infected multiple times by successive variants of the Trojan.

A number of Prg variants are known to operate in part by opening up port 6081 on victim's computers and listening for connections there. Some experts suggest that concerned parties looking to cut Prg off at the knees might start by blocking inbound and outbound traffic on 6081.

Prg appears to be a variant of a somewhat older Trojan known as wnspoem, discovered last October. Like the earlier model, Prg is designed to sniff sensitive data from Windows internal memory buffers before the data is encrypted, which means that the malware can circumvent SSL security measures. When SecureWorks researchers noted back in June that a Prg construction kit was making the rounds, the data caches they analysed contained a remarkable amount of information from corporate PCs - indicating perhaps that attackers are now expanding their focus.

It's not entirely clear how the stolen information in the latest attacks is being used, but Jackson says that the kind of data that the Trojan has cached seems to indicate that the data is being stolen for identity theft purposes.


More from Techworld

More relevant IT news


uk jobs advice said: I believe there are quite a few UK based job search engines company like JobHits which provides more advanced search filtered options Good thing is they are UK based rather than US own the world kind of company


boini said: i need this

sothea said: delecte virus from my computer

Ed said: I think that these asshole hackers should be put to death For real If we had a cable TV channel featuring the execution of these smart-assed punks that cant seem to use their brains for something constructive it would go a long way in reducing the problems they create Lets take a poll and find out the most cruel and unusual punishment available to put the hackers to death

judith cook, tentu98@verizon.n said: Your website tells me I have 3 virus threats Spy-agent W32Checkout91dob881 amp W32XiashowormMy subscription which does not expire until 2009 should have taken care of these automatically Please correct these problems I subscribe to be protected not to read a bunch of computerese about things I should do and when I do them they do not fix the problem

Sam Umscheid said: My virus scan will not enable i cant get help from anyoneSam Umscheid lovwinsaolcom

JOHNNY said: Any help on removing AdwareWin32GenericA

Quianna said: I would like to remove the virus trojan on my computer clean virus

Kellie said: I feel that whomever gets caught doing this should be thrown in jail

Remon Safwat said: my computer has trojan virus pswx- vir trojan help me to remove it

John Saunders said: The procetion needs too be more better said: i need to get rid of a trojan on my computer how do i do it

barbara baylom said: i dont know how trojans got on my computer but i would love for it to be taken off immediately

lptpeiris said: i want virus remover

Bonnie Spake said: I have been trying to down load aols programs and Imnot getting through

Hoamattham said: sorry i have just know English for me it is a hard trojanBut i hate ittrogan horsetrogan-ace-xTrogan w32 Looksky

Estheruka said: I have scan my computer of virus And he have detected24 files what i do

guido lucco said: Mi hanno appena derubato di 60 euro dfalla mia PostCard delle Poste Italiane mentre tentavo un aquisto di Registry Mechanic 70 Io ho installato McAfee Virus Scan dal 2005 Cosa devo fare in questo caso Ringrazio del vostro aiuto sollecito Guido

mahmoud said: thx thx

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *