Skip to content

ResumeLooters targets 65 websites to steal sensitive user data

  • by
  • 3 min read

A sweeping cyber campaign by a previously unknown threat group, referred to as ResumeLooters, spanning November and December 2023, targeted employment agencies and retail companies in the Asia-Pacific region and extracted sensitive user data, including names, phone numbers, emails, dates of birth, and detailed employment histories.

According to estimates, the stolen files contained more than 2 million rows, of which about 500k were stolen data from compromised websites.

Cybersecurity researchers from Group-IB found that about 65 websites were compromised by ResumeLooters. According to them, about 70% of the victims were located in India, Taiwan, Thailand, and Vietnam. However, a few victims were also in Brazil, the US, Turkey, Russia, Mexico, Italy and other non-APAC nations.

The modus operandi of ResumeLooters involved employing SQL injection attacks to pilfer user databases. Additionally, Group-IB’s researchers discovered traces of Cross-Site Scripting (XSS) infections on legitimate job search websites. These malicious scripts aim to load further harmful code from associated infrastructure, leading to the display of phishing forms on legitimate platforms.

Victim data by country. | Source: Group-IB

ResumeLooters demonstrated a dual-pronged attack strategy. Their primary vector involved SQL injection attacks using tools like SQLmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch. Notably, the group’s focus on SQL injection attacks mirrors a trend by another threat actor group, GambleForce, exposed by researchers in December.

Simultaneously, the threat group attempted to inject XSS scripts into web forms, a tactic aimed at executing these scripts on administrators’ devices to acquire coveted admin credentials. The attackers strategically inserted XSS scripts into all available web forms, hoping to display phishing forms and gain unauthorised access.

Group-IB’s investigation led to the identification of a malicious server at 139.180.137[.]107. This server hosted an array of penetration testing tools, including the notable SQLmap.

Further scrutiny revealed additional ports and services, with one particularly noteworthy instance on port 443A. A JavaScript script found at the root of this port executed a series of actions, including downloading data from another malicious server, sb8[.]co.

Telegram groups were used to sell the data. | Source: Group-IB

ResumeLooters also leveraged the Beef Framework, a browser exploitation framework, to facilitate XSS attacks. The group employed a JavaScript code named if.js to gather user information and redirect to phishing credential collection forms.

The hackers, exploiting a vulnerable web server, exposed stolen source code pages, HTML files, cookies, and additional victim data. Telegram accounts linked to the attackers were identified as “渗透数据中心” (Penetration Data Center) and “万国数据阿力” (World Data Ali).

Both accounts were involved in selling compromised data from recruitment and other websites.

In the News: Microsoft may launch the new Indiana Jones game on Sony PS5

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: