ResumeLooters Gang Steal Data of 2 Million in XSS Attacks Using SQL injection

Written by Mitchell Langley

February 6, 2024

ResumeLooters Gang Steal Data of 2 Million in XSS Attacks Using SQL injection

A threat group known as ‘ResumeLooters’ has successfully stolen the personal information of over two million job seekers by exploiting vulnerabilities in 65 legitimate job listing and retail websites using SQL injection and cross-site scripting (XSS) attacks.

Their primary focus has been on the APAC region, specifically targeting job sites in Australia, Taiwan, China, Thailand, India, and Vietnam. The stolen information includes job seekers’ names, email addresses, phone numbers, employment history, education details, and other relevant data.

Group-IB, a cybersecurity firm that has been monitoring ResumeLooters since its inception, reports that in November 2023, the threat group attempted to sell the stolen data through Telegram channels.

ResumeLooters Gang Compromising Legitimate Sites

Source: BleepingComputer

ResumeLooters Gang Compromising Legitimate Sites

ResumeLooters utilizes SQL injection and XSS techniques as their primary methods to infiltrate specific websites, with a particular focus on job-seeking platforms and retail shops.

Their pen-testing phase involved the use of open-source tools like:

  • Acunetix: A web vulnerability scanner that identifies common vulnerabilities such as XSS and SQL injection, and provides reports for remediation.
  • Metasploit: A versatile framework that allows the development and execution of exploit code against target systems. It can also be used for security assessments.
  • SQLmap: An automated tool that detects and exploits SQL injection flaws, enabling the compromise of database servers.
  • X-Ray: This tool is designed to detect vulnerabilities in web applications, providing insights into their structure and potential weaknesses.
  • Beef Framework: Exploiting web browser vulnerabilities, this framework assesses the security posture of a target through client-side vectors.
  • ARL (Asset Reconnaissance Lighthouse): A scanning and mapping tool for online assets, helping to identify potential vulnerabilities in network infrastructure.
  • Dirsearch: A command-line tool used for brute-forcing directories and files in web applications, uncovering hidden resources.
ResumeLooters Gang Steal Data of 2 Million in XSS Attacks Using SQL injection

Script injected on the target website

Source: Group-IB

Group-IB’s Analysis of ResumeLooters’ Campaign

After identifying and exploiting security weaknesses on target sites, ResumeLooters injects malicious scripts into numerous locations in a website’s HTML.

Certain injection points within websites, such as script triggers, can execute the injected script, while others, like form elements or anchor tags, simply display the injected script without execution. However, when injected effectively, a malicious remote script is activated, leading to a phishing forms that aim to steal visitors’ personal information.

Group-IB has also observed instances where the attackers employed custom attack techniques. This includes the creation of fraudulent employer profiles and the posting of counterfeit CV documents that contain XSS scripts.

ResumeLooters Gang Steal Data of 2 Million in XSS Attacks Using SQL injection

Malicious resume used for script injection

Source: Group-IB

Thanks to a security oversight by the attackers, Group-IB successfully infiltrated the database hosting the stolen data. This revelation uncovered that the attackers had managed to gain administrative access to some of the compromised websites.

ResumeLooters Gang Steal Data of 2 Million in XSS Attacks Using SQL injection

Open directory exposing stolen data

Source: Group-IB

ResumeLooters conducts these attacks for financial gain. They attempt to monetize the stolen data by selling it to other cybercriminals through two Telegram accounts using Chinese names, namely “渗透数据中心” (Penetration Data Center) and “万国数据阿力” (World Data Ali).

While Group-IB does not explicitly confirm the attackers’ origin, the fact that ResumeLooters engages in the sale of stolen data within Chinese-speaking groups and utilizes Chinese versions of tools like X-Ray strongly indicates a high likelihood that they are operating from China.

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!