Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Millions of User Records Stolen From 65 Websites via SQL Injection Attacks

The ResumeLooters hackers compromise recruitment and retail websites using SQL injection and XSS attacks.

Between November and December 2023, a threat actor successfully stole more than two million email addresses and other personal information from at least 65 websites, threat intelligence firm Group-IB reports.

Mainly relying on SQL injection attacks, the hacking group, tracked as ResumeLooters, has been active since early 2023, selling the stolen information on Chinese-speaking hacking-themed Telegram groups.

As part of the November-December campaign, the group primarily hit sites in India (12), Taiwan (10), Thailand (9), Vietnam (7), and China (3). However, it was also seen targeting victims in Australia, the Philippines, South Korea, Japan, US, Brazil, Russia, and Italy. 

The group mainly focused on compromising retail and recruitment websites, but victims in the professional services, delivery, real estate, and investment sectors were also identified.

The observed attacks resembled those launched by GambleForce, a threat actor relying on SQL injections to compromise gambling and government websites in Asia-Pacific.

The same as GambleForce, ResumeLooters was seen using various open source tools and penetration testing frameworks in its SQL injection attacks.

The main difference, however, is that ResumeLooters has also used XSS scripts injected into legitimate job search websites, meant to display phishing forms and harvest administrative credentials. The scripts were executed on at least four websites and on some devices with administrative access.

In one instance, the group created a fake employer profile on a recruitment website, and injected an XSS script using one of the fields in the profile. In another instance, XSS code was included in a fake CV.

Advertisement. Scroll to continue reading.

Through the injection of malicious SQL queries, the threat actor was able to retrieve databases containing close to 2.2 million rows, more than 500,000 of which represented user data from employment websites.

“ResumeLooters is confirmed to have stolen several databases containing 2,079,027 unique emails and other records, such as names, phone numbers, dates of birth, as well as information about job seekers’ experience and employment history,” Group-IB says.

Fueled by poor security and inadequate database management practices, these attacks demonstrate how much damage can be done with publicly available tools, Group-IB notes, pointing out that companies can easily avoid falling victims to groups like GambleForce and ResumeLooters.

“Aside from the potential exposure of job seekers’ data (including phone numbers, email addresses, and other personal information), various APT groups could leverage this information for the further targeting of specific individuals,” the cybersecurity firm notes.

Related: UN Warns Hundreds of Thousands in Southeast Asia Roped Into Online Scams

Related: Triple Threat: Insecure Economy, Cybercrime Recruitment and Insider Threats

Related: North Korea APT Lazarus Targeting Chemical Sector

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.