A threat group known as ‘ResumeLooters’ has successfully stolen the personal information of over two million job seekers by exploiting vulnerabilities in 65 legitimate job listing and retail websites using SQL injection and cross-site scripting (XSS) attacks.
Their primary focus has been on the APAC region, specifically targeting job sites in Australia, Taiwan, China, Thailand, India, and Vietnam. The stolen information includes job seekers’ names, email addresses, phone numbers, employment history, education details, and other relevant data.
Group-IB, a cybersecurity firm that has been monitoring ResumeLooters since its inception, reports that in November 2023, the threat group attempted to sell the stolen data through Telegram channels.
Source: BleepingComputer
ResumeLooters Gang Compromising Legitimate Sites
ResumeLooters utilizes SQL injection and XSS techniques as their primary methods to infiltrate specific websites, with a particular focus on job-seeking platforms and retail shops.
Their pen-testing phase involved the use of open-source tools like:
- Acunetix: A web vulnerability scanner that identifies common vulnerabilities such as XSS and SQL injection, and provides reports for remediation.
- Metasploit: A versatile framework that allows the development and execution of exploit code against target systems. It can also be used for security assessments.
- SQLmap: An automated tool that detects and exploits SQL injection flaws, enabling the compromise of database servers.
- X-Ray: This tool is designed to detect vulnerabilities in web applications, providing insights into their structure and potential weaknesses.
- Beef Framework: Exploiting web browser vulnerabilities, this framework assesses the security posture of a target through client-side vectors.
- ARL (Asset Reconnaissance Lighthouse): A scanning and mapping tool for online assets, helping to identify potential vulnerabilities in network infrastructure.
- Dirsearch: A command-line tool used for brute-forcing directories and files in web applications, uncovering hidden resources.
Script injected on the target website
Source: Group-IB
Group-IB’s Analysis of ResumeLooters’ Campaign
After identifying and exploiting security weaknesses on target sites, ResumeLooters injects malicious scripts into numerous locations in a website’s HTML.
Certain injection points within websites, such as script triggers, can execute the injected script, while others, like form elements or anchor tags, simply display the injected script without execution. However, when injected effectively, a malicious remote script is activated, leading to a phishing forms that aim to steal visitors’ personal information.
Group-IB has also observed instances where the attackers employed custom attack techniques. This includes the creation of fraudulent employer profiles and the posting of counterfeit CV documents that contain XSS scripts.
Malicious resume used for script injection
Source: Group-IB
Thanks to a security oversight by the attackers, Group-IB successfully infiltrated the database hosting the stolen data. This revelation uncovered that the attackers had managed to gain administrative access to some of the compromised websites.
Open directory exposing stolen data
Source: Group-IB
ResumeLooters conducts these attacks for financial gain. They attempt to monetize the stolen data by selling it to other cybercriminals through two Telegram accounts using Chinese names, namely “渗透数据中心” (Penetration Data Center) and “万国数据阿力” (World Data Ali).
While Group-IB does not explicitly confirm the attackers’ origin, the fact that ResumeLooters engages in the sale of stolen data within Chinese-speaking groups and utilizes Chinese versions of tools like X-Ray strongly indicates a high likelihood that they are operating from China.