Gang Targets Job Seekers, Steals Millions of Resumes

In November 2023, Group-IB’s Threat Intelligence unit discovered a malicious campaign that targeted APAC (Asia Pacific region) employment agencies and retail companies. GroupIB dubbed the hackers behind the campaign as ResumeLooters.

Overall, 65 websites were targeted, using SQL injection attacks and injecting cross-site scripting (XSS) scripts, to steal sensitive user databases storing sensitive information like names, phone numbers, emails, and employment history. The stolen data was then sold on Telegram channels.

Group-IB researchers discovered Cross-Site Scripting (XSS) infection on genuine job search websites, aiming to load malicious scripts and display phishing forms. The earliest attacks date back to early 2023, as per the file creation dates detected on the attackers’ servers.

The hackers stole more than two million unique email addresses, targeting users in India, Taiwan, Thailand, and Vietnam. SQLi attacks targeted back-end user databases, while XSS techniques were used to display phishing content on sites and visitors’ devices.

Group-IB has identified ResumeLooters as the second group conducting SQL injection attacks against companies in the Asia-Pacific region, following GambleForce, which has carried out over 20 attacks so far.

The latter group typically targets India, Taiwan, Thailand, and Vietnam, since over 70% of its known victims were located in the region. Researchers also identified compromised entities in Brazil, the USA, Turkey, Russia, Mexico, Italy, and other non-APAC countries.

It is worth noting that Group-IB had recently unmasked EagleStrike, a subgroup of the GambleForce hacker group, who exploited simple vulnerabilities. The group targeted 24 organizations across 8 countries, compromising websites in Australia, Indonesia, the Philippines, South Korea, China, India, and Thailand between September and December 2023.

According to the company’s blog post, ResumeLooters uses various penetration testing tools, including sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch. Their main vector was SQL injection via sqlmap.

Analysis of stolen HTML files shows the malicious script was executed on at least four websites with some having XSS scripts embedded in the HTML code mainly on devices having administrative access. The attackers’ accounts and advertisements for data sale were discovered in hacking-themed Telegram groups having Chinese-speaking members.

The report highlights the vulnerability of SQLi and XSS attacks on websites, underscoring the need for businesses to implement best practices like web application firewalls and input validation. It also highlights the potential damage caused by these attacks, which are “fueled by poor security and inadequate database and website management” Group-IB researchers concluded.

There have been several surprising breaches involving the exposure of employee or job seekers’ data. In July 2022, a North Korean-backed Lazarus group of hackers, posing as IT freelancers, used a fake job offer to infiltrate Sky Mavis’ network.

More recently, in January 2023, Hackread reported independent security researcher Anurag Sen discovered a misconfigured server belonging to an Enterprise Resource Planning (ERP) Software provider in California.

The Elasticsearch server exposed the personal data of over half a million Indian job seekers, as well as the company’s employees and client records from companies like Apple and Samsung. The server had been publicly accessible without any security authentication or password since late December 2022.