In a recent cyber onslaught, a notorious threat group, dubbed ‘ResumeLooters’, has orchestrated a massive data breach affecting over two million individuals. Employing sophisticated tactics including SQL injection and cross-site scripting (XSS) attacks, the group infiltrated 65 legitimate job listing and retail websites.
The primary targets of the attacks were concentrated across the Asia-Pacific (APAC) region, with countries such as Australia, Taiwan, China, Thailand, India, and Vietnam bearing the brunt. The stolen data includes sensitive personal information such as names, email addresses, phone numbers, work history, educational background, and more.
Group-IB, a cybersecurity firm actively tracking ResumeLooters, revealed that the group attempted to monetize the pilfered data through Telegram channels back in November 2023.
The modus operandi of ResumeLooters involves exploiting vulnerabilities in legitimate websites using SQL injection and XSS techniques. Leveraging a suite of tools including SQLmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch, they meticulously probe and exploit security loopholes.
Upon infiltrating target sites, ResumeLooters embed malicious scripts into various parts of the HTML code, ranging from triggering scripts to displaying phishing forms aimed at extracting sensitive information from unsuspecting visitors.
Group-IB’s investigation uncovered instances where the attackers deployed novel methods, such as crafting fake employer profiles and posting counterfeit CV documents containing XSS scripts.
A critical oversight by the perpetrators allowed Group-IB to gain access to the database housing the stolen data, revealing that they had attained administrator privileges on some compromised sites.
ResumeLooters’ motivations appear rooted in financial gain, as they endeavor to peddle the stolen data to other cybercriminals via Telegram accounts using Chinese aliases like “渗透数据中心” (Penetration Data Center) and “万国数据阿力” (World Data Ali).
While Group-IB refrains from definitively attributing the origin of the attackers, the fact that ResumeLooters operate within Chinese-speaking forums and utilize Chinese versions of hacking tools strongly suggests their affiliation with China.
Found this news interesting? Follow us on Twitter and Telegram to read more exclusive content we post.