They initially focused on CareerBuilder.com (largest employment website in the US), but now also on Monster.com (one of the largest in the world).
The fake login page victims are served with looks virtually identical to the legitimate one, but the next one is web form injected by the malware:
There are 18 different questions to choose from, and they range from the name of the city where your sibling lives/you got your first job/you met your spouse, to the name of your school(s)/friend/work supervisor and significant dates and numbers in your life.
F-Secure researchers warn HR recruiters with website accounts to be on the lookout for any such irregularities.
"If the account is potentially tied to a bank account and a spending budget … it's a target for banking trojans," they point out.