Article Details
Scrape Timestamp (UTC): 2024-02-06 07:01:12.445
Original Article Text
Click to Toggle View
Hackers steal data of 2 million in SQL injection, XSS attacks. A threat group named 'ResumeLooters' has stolen the personal data of over two million job seekers after compromising 65 legitimate job listing and retail sites using SQL injection and cross-site scripting (XSS) attacks. The attackers mainly focus on the APAC region, targeting sites in Australia, Taiwan, China, Thailand, India, and Vietnam to steal job seeker's names, email addresses, phone numbers, employment history, education, and other relevant information. According to Group-IB, which has been following the threat group since its beginning, in November 2023, ResumeLooters attempted to sell the stolen data through Telegram channels. Compromising legitimate sites ResumeLooters primarily employs SQL injection and XSS to breach targeted sites, mainly job-seeking and retail shops. Their pen-testing phase involved the use of open-source tools like: After identifying and exploiting security weaknesses on target sites, ResumeLooters injects malicious scripts into numerous locations in a website's HTML. Some of these injections will be inserted to trigger the script, but other locations, like form elements or anchor tags, will simply display the injected script, as shown below. However, when properly injected, a malicious remote script will be executed that displays phishing forms to steal visitors' information. Group-IB also observed cases where the attackers employed custom attack techniques, like creating fake employer profiles and posting fake CV documents to contain the XSS scripts. Thanks to an opsec mistake by the attackers, Group-IB was able to infiltrate the database hosting the stolen data, revealing that the attackers managed to establish administrator access on some of the compromised sites. ResumeLooters conducts these attacks for financial gain, attempting to sell stolen data to other cybercriminals via at least two Telegram accounts that use Chinese names, namely "渗透数据中心" (Penetration Data Center) and "万国数据阿力" (World Data Ali). Although Group-IB does not explicitly confirm the attackers' origin, ResumeLooters selling stolen data in Chinese-speaking groups and using Chinese versions of tools, like X-Ray, make it highly probable that they are from China.
Daily Brief Summary
'ResumeLooters' threat group has compromised 65 job listing and retail websites, stealing personal data of over two million individuals.
Victims are predominantly from the APAC region, including countries such as Australia, China, and India, with stolen data including names, contact details, and employment history.
The primary attack methods used were SQL injection and XSS attacks, allowing for unauthorized data access and phishing attempts.
Open-source penetration testing tools were utilized to identify vulnerabilities before injecting malicious scripts across the websites.
Group-IB detected the sale of stolen data on Telegram and identified the hackers' operational security error, which provided insights into their methods and access level.
Indicators suggest ResumeLooters may be a China-based group, given the language used in communications and tool preferences.
The data is being sold for financial gain to other cybercriminals, posing a significant threat to those affected.