ResumeLooters Gang Steal Data of 2 Million in XSS Attacks Using SQL injection

ResumeLooters Gang Steal Data of 2 Million in XSS Attacks Using SQL injection
Table of Contents
    Add a header to begin generating the table of contents

    A threat group known as ‘ResumeLooters’ has successfully stolen the personal information of over two million job seekers by exploiting vulnerabilities in 65 legitimate job listing and retail websites using SQL injection and cross-site scripting (XSS) attacks.

    Their primary focus has been on the APAC region, specifically targeting job sites in Australia, Taiwan, China, Thailand, India, and Vietnam. The stolen information includes job seekers’ names, email addresses, phone numbers, employment history, education details, and other relevant data.

    Group-IB, a cybersecurity firm that has been monitoring ResumeLooters since its inception, reports that in November 2023, the threat group attempted to sell the stolen data through Telegram channels.

    ResumeLooters

    Source: BleepingComputer

    ResumeLooters Gang Compromising Legitimate Sites

    ResumeLooters utilizes SQL injection and XSS techniques as their primary methods to infiltrate specific websites, with a particular focus on job-seeking platforms and retail shops.

    Their pen-testing phase involved the use of open-source tools like:

    • Acunetix: A web vulnerability scanner that identifies common vulnerabilities such as XSS and SQL injection, and provides reports for remediation.
    • Metasploit: A versatile framework that allows the development and execution of exploit code against target systems. It can also be used for security assessments.
    • SQLmap: An automated tool that detects and exploits SQL injection flaws, enabling the compromise of database servers.
    • X-Ray: This tool is designed to detect vulnerabilities in web applications, providing insights into their structure and potential weaknesses.
    • Beef Framework: Exploiting web browser vulnerabilities, this framework assesses the security posture of a target through client-side vectors.
    • ARL (Asset Reconnaissance Lighthouse): A scanning and mapping tool for online assets, helping to identify potential vulnerabilities in network infrastructure.
    • Dirsearch: A command-line tool used for brute-forcing directories and files in web applications, uncovering hidden resources.
    Script injected on the target website

    Script injected on the target website

    Source: Group-IB

    Group-IB’s Analysis of ResumeLooters’ Campaign

    After identifying and exploiting security weaknesses on target sites, ResumeLooters injects malicious scripts into numerous locations in a website’s HTML.

    Certain injection points within websites, such as script triggers, can execute the injected script, while others, like form elements or anchor tags, simply display the injected script without execution. However, when injected effectively, a malicious remote script is activated, leading to a phishing forms that aim to steal visitors’ personal information.

    Group-IB has also observed instances where the attackers employed custom attack techniques. This includes the creation of fraudulent employer profiles and the posting of counterfeit CV documents that contain XSS scripts.

    Malicious resume used for script injection

    Malicious resume used for script injection

    Source: Group-IB

    Thanks to a security oversight by the attackers, Group-IB successfully infiltrated the database hosting the stolen data. This revelation uncovered that the attackers had managed to gain administrative access to some of the compromised websites.

    Open directory exposing stolen data

    Open directory exposing stolen data

    Source: Group-IB

    ResumeLooters conducts these attacks for financial gain. They attempt to monetize the stolen data by selling it to other cybercriminals through two Telegram accounts using Chinese names, namely “渗透数据中心” (Penetration Data Center) and “万国数据阿力” (World Data Ali).

    While Group-IB does not explicitly confirm the attackers’ origin, the fact that ResumeLooters engages in the sale of stolen data within Chinese-speaking groups and utilizes Chinese versions of tools like X-Ray strongly indicates a high likelihood that they are operating from China.

    Related Posts