Source: Group-IB. Distribution of ResumeLooters' compromised websites by country and sector. |
Group-IB, a creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has identified a large-scale malicious campaign primarily targetting job search and retail websites of companies in the Asia-Pacific region.
The cybercriminal group, dubbed ResumeLooters by Group-IB’s Threat Intelligence unit, successfully infected at least 65 websites between November and December 2023 through SQL injection and cross-site scripting (XSS) attacks. Most of the gang’s victims are in India, Taiwan, Thailand, Vietnam, mainland China, and Australia.
Group-IB said ResumeLooters has stolen 2,079,027 unique emails and other records, such as names, phone numbers, dates of birth, as well as information about job seekers’ experience and employment history. The stolen data has been offered for sale by ResumeLooters in Telegram. Group-IB has notified identified victims.
Operating since the beginning of 2023, ResumeLooters has been using penetration testing frameworks and open-source tools to inject malicious SQL queries into 65 job search, retail and other websites and retrieve a total of 2,188,444 database rows of information. Of these rows, 510,259 were user data from employment websites.
Over 70% of the known compromised websites are in the Asia-Pacific region. The gang is primarily focused on India (12 victims), Taiwan (10), Thailand (9), Vietnam (7), mainland China (3), Australia (2), the Philippines (1), South Korea (1), and Japan (1). However, compromised websites have also been identified outside of the region.
Group-IB’s researchers have also identified two Telegram accounts associated with the threat actor. Both accounts have been used to offer the stolen data for sale in Chinese-speaking Telegram groups dedicated to hacking and penetration testing.
“In less than two months, we have identified yet another threat actor conducting SQL injection attacks against companies in the Asia-Pacific region,” said Nikita Rostovcev, Senior Analyst at the Advanced Persistent Threat Research Team, Group-IB.
“It is striking to see how some of the oldest yet remarkably effective SQL attacks remain prevalent in the region. However, the tenacity of the ResumeLooters group stands out as they experiment with diverse methods of exploiting vulnerabilities, including XSS attacks. Additionally, the gang’s attacks cover a vast geographical area.”
According to Group-IB, cybercriminals have been increasingly interested in the Asia-Pacific region. In December 2023, Group-IB reported on GambleForce, a cybercriminal group which conducted over 20 SQL injection attacks against gambling and government websites in the region. Unlike GambleForce, which focuses solely on SQL injections, ResumeLooters has a more diverse modus operandi.
In addition to SQL injection attacks, ResumeLooters successfully executed XSS scripts on at least four legitimate job search websites. On one of these websites, the attackers implanted a malicious script by creating a fake employer profile. As a result, the attackers were able to steal the HTML code of the pages visited by the victims, including those with administrative access. Malicious XSS scripts were also intended to display phishing forms on legitimate resources. It is believed that the attackers’ main goal was to steal admin credentials. However, no evidence of successful theft of administrative credentials was found.
To protect against injection attacks, Group-IB suggested that companies implement comprehensive input validation and sanitisation on both the client and server sides. Performing regular security assessments and code reviews will help to identify and mitigate injection vulnerabilities.
The comprehensive examination of ResumeLooters’ malicious infrastructure, tools, and tactics, along with the full list of indicators of compromise, is available in Group-IB’s latest blog post.