The attackers used SQL injection and cross-site scripting (XSS) to target at least 65 recruiting and retail websites with legitimate penetration testing tools, stealing databases containing more than 2 million emails and other personal records of looking for a job in just a month.
Dubbed “ResumeLooters” by researchers from Group-IB’s Threat Intelligence Unit, who uncovered the campaign, the group primarily targeted victims in India, Taiwan, Thailand, Vietnam, China and Australia, stealing emails and other data containing personal information from people’s resumes. researchers revealed in a blog post on February 6. The data included names, phone numbers and dates of birth, as well as information about the job seekers’ experience and work history.
Overall, researchers found that the group, believed to have been operational since early 2023, stole multiple databases containing 2,079,027 unique emails and other records in attacks that occurred between last November and December. While more than 70% of victims were located in the Asia-Pacific (APAC) region, Group-IB also identified compromised companies in other regions, including Brazil, Italy, Mexico, Russia, Turkey and the United States.
Specifically, the attackers targeted 26 retail companies and 19 job-seeking sites, as well as a handful of organizations in professional services, delivery, real estate, investing and other industries. The group then put the stolen data up for sale on Chinese-language Telegram channels.
Cyber attacks using pen-testing tools
The attack vector of ResumeLooters is similar to that of another group called GambleForce, which Group-IB discovered was targeting the APAC region in September. Like that group, attackers used a variety of publicly available penetration testing tools to target and inject malicious scripts into websites. In the case of ResumeLooters, common tools included Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch.
“ResumeLooters is yet another example of how much damage can be done with just a handful of publicly available tools,” senior threat analyst Nikita Rostovcev of Group-IB’s Advanced Persistent Threat (APT) research team wrote in the post . “Both GambleForce and ResumeLooters use very simple attack methods.”
The team’s investigation began with the identification of a malicious server at number 139.180.137[.]107, on which they found the logs of several penetration testing tools, including sqlmap, which revealed that attackers were targeting employment websites and retail businesses.
The most common initial vector used by ResumeLooters is SQL injection via sqlmap, but in some cases attackers have injected XSS scripts into legitimate job search sites to carry out attacks, researchers have found. The attack occurs when the injection triggers the execution of a malicious remote script that displays a phishing form to steal the data of visiting job seekers.
In one of its XSS attacks, ResumeLooters even created a fake employer profile on a legitimate recruiting site by inserting malicious XSS scripts into one of the profile fields. The profile also included a link to admin.cloudnetsafe[.]com, which the researchers believe could be another domain associated with the group, although it was inaccessible at the time the researchers analyzed it.
The evidence also suggested that ResumeLooters attempted to gain shell access on the target systems to download and execute additional payloads and try to find more data, despite having full control of the victims’ server. However, it is unclear whether these attempts were successful, Rostovcev said.
IB Group has informed victims of companies targeted by the attacks “so that they can take all necessary measures to mitigate further damage”, it added.
Job seekers in the cyber crosshairs
Threat actors often target job seekers through various employment scams, due to the range of information that can be gathered through communications with them, as well as the opportunity to influence them using social engineering.
They are mainly threatened by groups from North Korea they are adept at targeting job seekers around the world using fake job offers aimed at stealing personal information and credentials. Attackers also exploit social media platforms, such as Facebook, to especially target job seekers for remote working.
Attacks like those by ResumeLooters and GambleForce are “easily avoidable,” but corporate websites can be compromised due to “poor security and poor database and website management practices,” Rostovcev noted.
The campaign reminds organizations that they must prioritize cybersecurity and remain vigilant against evolving threats, he said. To do this, Group-IB has made several recommendations to organizations to prevent both SQL Injection and XSS attacks.
In the first case, organizations should use parameterized statements or prepared statements provided by their particular programming language or framework when stringing together user input directly into SQL queries. “This helps separate user input from SQL code,” Rostovcev wrote.
Implementing a web application firewall can detect and block SQL injection attempts, providing an additional layer of defense against various web application attacks. Another tactic that can help prevent both SQL injection and XSS attacks is to validate and sanitize user inputs on both the client and server sides, ensuring that inputs adhere to expected formats and length constraints, according to Group-IB.
To prevent XSS attacks, the researchers suggested, organizations can also avoid special characters to ensure they are treated as literal text and not interpreted as code before rendering user-generated content.