On Friday, two security firms reported that malicious programs had stolen information on hundreds of thousands of people from Monster.com and other major online job-searching Web sites. Security company Symantec, the owner of SecurityFocus, reported on Friday that a program it had dubbed Infostealer.Monstres had use credentials for job site Monster.com to build a database of details on several hundred thousand people.

The same day, researchers from managed security firm SecureWorks described finding a large cache of data, representing information on almost 46,000 job seekers. That information had been stolen using a malicious program, which SecureWorks called the Prg Trojan, that infected victims through advertisements appearing on job-search sites, SecureWorks researcher Don Jackson said in a blog post.

"When I first discovered this large cache of data, I couldn’t figure out how the hackers were compromising so many websites, and as a result, infecting so many victims," Jackson wrote. "However, when I uncovered the Trojan-injected advertisements, it made total sense."

The breaches appear to affect people who have posted their résumés online with Monster.com, CareerBuilder.com, and other services. The Trojan horse detected by Symantec includes hard-coded instructions for logging onto Monster.com and searching for the personal details of potential job applicants. Fraudsters have already started using the information to send more personalized e-mail messages. The information in the fraudulent messages appear to have been culled from, not only Monster.com, but other job sites, according to Symantec.

"You have a class of people that all have something in common -- they have submitted résumés to job databases," said Patrick Martin, senior product manager for Symantec. "That's the hook, as opposed to your average spam, where you might say, I have no interest in these pills or stocks, but this other message looks like its from a real employer."

Monster.com could not immediately be reached for comment. A representative of CareerBuilder.com stated that the site had not been attacked, but that the e-mail scams seen by Symantec were likely playing off the assumption that people post their résumés on more than one job site.

The attacks are the latest warning to job sites and seekers that résumés have become valuable commodities in the underground economy. In 2005, a privacy watchdog warned that employment details were increasingly being used by identity thieves to open accounts in other people's names. Moreover, work details can help turn massive spam campaigns into far more effective targeted attacks. Earlier this year, a Trojan horse that posed as a complaint from the Better Business Bureau claimed thousands of victims after it was targeted at executive management at small and medium firms.

The latest attacks target job seekers in separate ways.

The scheme uncovered by Symantec uses stolen recruiter credentials, which are allowed to search the database of résumés with broad queries, to find potential victims and send their details to a server in Eastern Europe. Computers infected with the Infostealer.Monstres program requested the searches, making the database queries appear to come from a large number of systems, and thus, less likely to arouse suspicions.

The attack underscores that sites holding sensitive information need to have better technology in place to detect not just obvious attacks, but more subtle anomalies like the searches on Monster.com, said Prat Moghe, founder and chief technology officer for Tizor Systems.

"The job sites have not been an obvious target so far because they have advertised their information in the public space for some time," Moghe said. "But attackers have now figured out how to use those e-mails for other scams. This is a secondary attack."

The personal details mined from Monster.com were then used by scammers to send offers for work-at-home positions that required the victim to open a new bank account or use their current account. Any person that gave up such details would likely see several quick withdrawals, Symantec's Martin said.

"Part One of the attack is to steal information -- all attacks start that way -- and they just happened to steal job information," Martin said. "Part Two is they get your bank account and steal your money."

The attack uncovered by SecureWorks is more traditional, but uses malicious code in advertisements on job sites to infect victims, according to SecureWorks' Jackson. The information -- including name, address, and Social Security numbers -- is then used for identity fraud.

"These job sites get quite a bit of traffic, so it is no wonder that the hackers are having such success," Jackson wrote in his blog post.

Symantec has notified Monster.com of the stolen recruiter accounts, the company said.

If you have tips or insights on this topic, please contact SecurityFocus.

UPDATE: The article was updated with comment from CareerBuilder.com.