Between November and December 2023, a threat actor successfully stole more than two million email addresses and other personal information from at least 65 websites, threat intelligence firm Group-IB reports. ResumeLooters is confirmed to have stolen several databases containing 2,079,027 unique emails and other records, such as names, phone numbers, dates of birth, and information about job seekers’ experience and employment history. The stolen data was then offered for sale by ResumeLooters in Telegram channels. Group-IB issued notifications to the identified victims so they could take necessary measures to mitigate further damage.[1]
Since the beginning of 2023, ResumeLooters has utilized several penetration testing frameworks and open-source tools, such as sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Research. As a result, the gang injected malicious SQL queries into 65 job search, retail, and other websites and retrieved a total of 2,188,444 rows, of which 510,259 were user data from employment websites. The hacking group, tracked as ResumeLooters, mainly relying on SQL injection attacks, has been active since early 2023, selling stolen information on Chinese-speaking hacking-themed Telegram groups.
As part of the November-December campaign, the group primarily hit sites in India (12), Taiwan (10), Thailand (9), Vietnam (7), and China (3). However, it also targeted victims in Australia, the Philippines, South Korea, Japan, the US, Brazil, Russia, and Italy.
The group mainly focused on compromising retail and recruitment websites, but victims in the professional services, delivery, real estate, and investment sectors were also identified. The observed attacks resembled those launched by GambleForce, a threat actor relying on SQL injections to compromise gambling and government websites in Asia-Pacific. Similar to GambleForce, ResumeLooters was seen using various open-source tools and penetration testing frameworks in its SQL injection attacks.
The main difference, however, is that ResumeLooters has also used XSS scripts injected into legitimate job search websites, meant to display phishing forms and harvest administrative credentials. The scripts were executed on at least four websites and on some devices with administrative access.
In one instance, the group created a fake employer profile on a recruitment website and injected an XSS script using one of the fields in the profile. In another example, XSS code was included in a fake CV.
By injecting malicious SQL queries, the threat actor retrieved databases containing nearly 2.2 million rows, more than 500,000 representing user data from employment websites. “ResumeLooters is confirmed to have stolen several databases containing 2,079,027 unique emails and other records, such as names, phone numbers, dates of birth, as well as information about job seekers’ experience and employment history,” Group-IB says.
As a result of poor security and inadequate database management practices, these attacks demonstrate how much damage can be done with publicly available tools, Group-IB notes, pointing out that companies can easily avoid falling victim to groups like GambleForce and ResumeLooters. “Aside from the potential exposure of job seekers’ data (including phone numbers, email addresses, and other personal information), various APT groups could leverage this information to target specific individuals further,” the cybersecurity firm notes.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/millions-of-user-records-stolen-from-65-websites-via-sql-injection-attacks/
Comments