A sweeping cyber campaign by a previously unknown threat group, referred to as ResumeLooters, spanning November and December 2023, targeted employment agencies and retail companies in the Asia-Pacific region and extracted sensitive user data, including names, phone numbers, emails, dates of birth, and detailed employment histories.
According to estimates, the stolen files contained more than 2 million rows, of which about 500k were stolen data from compromised websites.
Cybersecurity researchers from Group-IB found that about 65 websites were compromised by ResumeLooters. According to them, about 70% of the victims were located in India, Taiwan, Thailand, and Vietnam. However, a few victims were also in Brazil, the US, Turkey, Russia, Mexico, Italy and other non-APAC nations.
The modus operandi of ResumeLooters involved employing SQL injection attacks to pilfer user databases. Additionally, Group-IB’s researchers discovered traces of Cross-Site Scripting (XSS) infections on legitimate job search websites. These malicious scripts aim to load further harmful code from associated infrastructure, leading to the display of phishing forms on legitimate platforms.
ResumeLooters demonstrated a dual-pronged attack strategy. Their primary vector involved SQL injection attacks using tools like SQLmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch. Notably, the group’s focus on SQL injection attacks mirrors a trend by another threat actor group, GambleForce, exposed by researchers in December.
Simultaneously, the threat group attempted to inject XSS scripts into web forms, a tactic aimed at executing these scripts on administrators’ devices to acquire coveted admin credentials. The attackers strategically inserted XSS scripts into all available web forms, hoping to display phishing forms and gain unauthorised access.
Group-IB’s investigation led to the identification of a malicious server at 139.180.137[.]107. This server hosted an array of penetration testing tools, including the notable SQLmap.
The hackers, exploiting a vulnerable web server, exposed stolen source code pages, HTML files, cookies, and additional victim data. Telegram accounts linked to the attackers were identified as “渗透数据中心” (Penetration Data Center) and “万国数据阿力” (World Data Ali).
Both accounts were involved in selling compromised data from recruitment and other websites.