How To Block "Profile Attacks"?
Posted: Sun Jan 25, 2009 8:47 am
Check this out....
http://www.theregister.co.uk/2009/01/24 ... ty_breach/
For lack of a better name, I'm going to call this sort of attack a "Profile Attack". (If you know a better one, then I'll retitle the thread.)
I'm building a similar system to monster.com. So, what do you recommend I do to prevent this kind of profile attack? Basically, as you can see in the hyperlink above, a virus was specifically written to seek out a monster.com employer account username and password. Once obtained, it logged in under those credentials and started scraping email addresses and other identity information from candidate profiles. Once it received these, it started sending these people phishing requests, worm virus-laced spam (most likely to turn their PC into a zombie spam PC), and illegal money mule requests.
Now, one of the things my system will do is provide privacy controls for job candidates to specify. We specifically have fields that can be set as Employer-Only, Interviewer-Only, or Everyone. So, for instance, by default an email address is set to Interviewer-Only. And to enable that feature, one has to receive an interview request for a position and actually click "Accept Interview". Once they do that, the employer is then granted access to that email address. We also warn end users of the consequences.
So, again, any advice you have on preventing this kind of attack would be greatly appreciated.
http://www.theregister.co.uk/2009/01/24 ... ty_breach/
For lack of a better name, I'm going to call this sort of attack a "Profile Attack". (If you know a better one, then I'll retitle the thread.)
I'm building a similar system to monster.com. So, what do you recommend I do to prevent this kind of profile attack? Basically, as you can see in the hyperlink above, a virus was specifically written to seek out a monster.com employer account username and password. Once obtained, it logged in under those credentials and started scraping email addresses and other identity information from candidate profiles. Once it received these, it started sending these people phishing requests, worm virus-laced spam (most likely to turn their PC into a zombie spam PC), and illegal money mule requests.
Now, one of the things my system will do is provide privacy controls for job candidates to specify. We specifically have fields that can be set as Employer-Only, Interviewer-Only, or Everyone. So, for instance, by default an email address is set to Interviewer-Only. And to enable that feature, one has to receive an interview request for a position and actually click "Accept Interview". Once they do that, the employer is then granted access to that email address. We also warn end users of the consequences.
So, again, any advice you have on preventing this kind of attack would be greatly appreciated.