US job hunters blackmailed in Monster.com hack

Monster.com was not hacked in the traditional sense of the word. Instead, the attackers accessed the resume database with legitimate usernames and passwords, probably stolen from professional recruiters. Then HTTP commands were fired at the site; the results harvested and people held to ransom etc.

Really quite a neat approach - anyway most of these sites are an accident waiting to happen

Actually it's not that difficult to do and in fact once the hacker obtained the recruiter password anyone could do the same - even without wrapping it a trojan. At a guess any recruiter has virtually complete access to the candidate Db to vet candidates and their details are pretty much an open book at that stage - dangerous approach

It is a very simple matter for the computer to page through summary employee details (based on search criteria) and screen scrape the results - the 5 lines of code below provide the capability

objWebRequest = CType(System.Net.WebRequest.Create(strURL), System.Net.HttpWebRequest)
objWebRequest.Method = "GET"
objWebResponse = CType(objWebRequest.GetResponse(), System.Net.HttpWebResponse)
streamReader = New System.IO.StreamReader(objWebResponse.GetResponseStream)
strHTML = streamReader.ReadToEnd

The points are:

- using a screen scrape the target is not necessarily aware of what is going on unless they are monitoring traffic and source - anyway their site is being accessed legitimately via the browser

- screen scraping detail pages from candidate summary pages is simple

- screen scraping is not the fastest way of doing things but depending upon the connection speeds & parsing required one could probably operate at about 10,000 records/hr.

This scenario is precisely why a question about 'Mash-Ups' was posted a while ago http://www.accountingweb.co.uk/cgi-bin/item.cgi?id=167678 because in some cases they do pretty much the same thing but in a benign manner