Hackers from the group calling themselves ResumeLooters compromise recruiting and retail websites using SQL injection and XSS (cross-site scripting) attacks. Between November and December last year, the gang stole more than 2 million email addresses and other personal information from at least 65 websites, reports threat intelligence firm Group-IB.
Relying primarily on SQL injection attacks, ResumeLooters has been active since early 2023, selling the stolen information in Chinese-language hacking-themed Telegram groups. As part of the November-December campaign, the group mainly hit locations in India (12), Taiwan (10), Thailand (9), Vietnam (7) and China (3). However, it has also been seen targeting victims in Australia, the Philippines, South Korea, Japan, the USA, Brazil, Russia and Italy.
The group has primarily focused on compromising retail and recruitment websites, but victims have also been identified in the professional services, delivery, real estate and investment sectors.
The observed attacks resembled those launched by GambleForce, a threat operator that relies on SQL injections to compromise gambling and government websites in Asia-Pacific. Just like GambleForce, ResumeLooters has been seen using several open source tools and penetration testing frameworks in its SQL injection attacks. The main difference between them, however, is that ResumeLooters also used XSS scripts injected into legitimate job search websites designed to display phishing forms and collect administrative credentials. The scripts were run on at least four websites and on some devices with administrative access.
In one case, the group created a fake employer profile on a recruitment website and injected an XSS script using one of the profile’s fields. In another case, XSS code was included on a fake resume. Through the injection of malicious SQL queries, the threat operator was able to recover databases containing around 2.2 million rows, of which more than 500 thousand represented user data from job sites.
“It is confirmed that ResumeLooters stole multiple databases containing 2,079,027 unique emails and other records such as names, phone numbers, dates of birth, as well as information about job seekers’ experience and employment history,” it states the Group-IB.
Taking advantage of poor security and poor database management practices, these attacks demonstrate how much damage can be done with publicly available tools, notes Group-IB, noting that companies can easily avoid falling victim to groups like GambleForce and ResumeLooters.
“In addition to the potential exposure of job seeker data — including phone numbers, email addresses, and other personal information — multiple APT groups could leverage this information to further target specific individuals,” the cybersecurity firm notes.
Source: CisoAdvisor
