The victims were apparently tricked into downloading the malicious software through fake job listings. A massive amount of job applications were found on a website hosted on Yahoo!, used by the criminals behind the scam to store the stolen information. That website, which had probably been hacked by the criminals, was shut down on Tuesday. According to Prevx CEO Mel Morris, this was a well-coordinated attack, and is worried that such a high percentage of the infected PCs are related to the transportation sector:
"When we reverse-engineered the IP addresses of those computers, we couldn't believe that this was a daisy chain that led to government-associated sites and to other defense contractors, and to American Airlines," Morris said. "This was a very highly targeted attack."
Nonetheless, it's still hard to characterize what motivated the attack. Downloaded and decrypted data from the website is currently under investigation from the FBI's Law Enforcement Online program.