Between November and December 2023, a threat actor successfully stole more than two million email addresses and other personal information from at least 65 websites, threat intelligence firm Group-IB reports.
Mainly relying on SQL injection attacks, the hacking group, tracked as ResumeLooters, has been active since early 2023, selling the stolen information on Chinese-speaking hacking-themed Telegram groups.
As part of the November-December campaign, the group primarily hit sites in India (12), Taiwan (10), Thailand (9), Vietnam (7), and China (3). However, it was also seen targeting victims in Australia, the Philippines, South Korea, Japan, US, Brazil, Russia, and Italy.
The group mainly focused on compromising retail and recruitment websites, but victims in the professional services, delivery, real estate, and investment sectors were also identified.
The observed attacks resembled those launched by GambleForce, a threat actor relying on SQL injections to compromise gambling and government websites in Asia-Pacific.
The same as GambleForce, ResumeLooters was seen using various open source tools and penetration testing frameworks in its SQL injection attacks.
The main difference, however, is that ResumeLooters has also used XSS scripts injected into legitimate job search websites, meant to display phishing forms and harvest administrative credentials. The scripts were executed on at least four websites and on some devices with administrative access.
In one instance, the group created a fake employer profile on a recruitment website, and injected an XSS script using one of the fields in the profile. In another instance, XSS code was included in a fake CV.
Through the injection of malicious SQL queries, the threat actor was able to retrieve databases containing close to 2.2 million rows, more than 500,000 of which represented user data from employment websites.
“ResumeLooters is confirmed to have stolen several databases containing 2,079,027 unique emails and other records, such as names, phone numbers, dates of birth, as well as information about job seekers’ experience and employment history,” Group-IB says.
Fueled by poor security and inadequate database management practices, these attacks demonstrate how much damage can be done with publicly available tools, Group-IB notes, pointing out that companies can easily avoid falling victims to groups like GambleForce and ResumeLooters.
“Aside from the potential exposure of job seekers’ data (including phone numbers, email addresses, and other personal information), various APT groups could leverage this information for the further targeting of specific individuals,” the cybersecurity firm notes.