Security researchers have uncovered a major data theft campaign targeting users of employment agency and retail websites mainly in APAC.
Dubbed “ResumeLooters” by Group-IB, the gang was first detected in November 2023. It compromised 65 websites in November and December last year using SQL injection attacks (SQLi), as well as injecting cross-site scripting (XSS) scripts into a handful of additional sites.
Among the data stolen was names, phone numbers, emails and dates of birth, as well as information about job seekers’ experience, employment history and other sensitive personal data, Group-IB claimed.
It said over two million unique email addresses were stolen in the campaign, which focused mainly on India, Taiwan, Thailand and Vietnam. The stolen data was then put up for sale in “Chinese-speaking, hacking-themed Telegram groups.”
Read more on Group-IB research: Experts Uncover Underground Phishing “Empire” W3LL
The SQLi attacks were used to target back-end user databases run by the targeted companies, while the XSS techniques were designed to display phishing content on the sites and visitors’ devices, such as fake CVs.
“ResumeLooters tried inserting XSS scripts into all possible web forms of the targeted websites, hoping they would display phishing forms to obtain admin credentials,” Group-IB said.
The threat intelligence firm also found evidence of various pen-testing tools on ResumeLooters’ malicious servers, including: sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse) and Dirsearch.
Attacks Reminiscent of GambleForce
Over 70% of victims were located in Asia, adding weight to the theory that the group was Chinese in origin, although compromised companies were also located in Brazil, the US, Turkey, Russia, Mexico, Italy and other non-APAC countries.
“Notably, this is the second group described by Group-IB in less than two months that is conducting SQL injection attacks against companies in the Asia-Pacific region. In December 2023, Group-IB published a report about GambleForce – an SQL injection gang that has carried out over 20 attacks against websites in the region,” Group-IB noted.
The report recommended firms follow simple best practices such as using web application firewalls and conducting input validation/sanitization to mitigate the threat from SQLi and XSS attacks.
“ResumeLooters is yet another example of how much damage can be made with just a handful of publicly available tools. These attacks are fueled by poor security as well as inadequate database and website management practices,” it concluded.
“Both GambleForce and ResumeLooters employ very straightforward attack methods. Their attacks are easily avoidable. This newly discovered malicious campaign serves as a reminder of the need for organizations to prioritize cybersecurity and stay vigilant against evolving threats.”