Millions of people looking for a new job had their personal information stolen and put up for sale on chat groups on the dark web after several sites were hacked.
Cybersecurity experts from Group-IB have released a new one report in which they outlined their research into a relatively new threat actor called ResumeLooters and how it was able to sell a massive database on the dark web.
ResumeLooters first appeared in November 2023, when it successfully compromised 65 job and retail sites using two techniques: SQL injection and cross-site scripting (XSS). Using tools such as SQLmap, Acunetix,
In it for the money
After successfully finding and exploiting flaws on the sites, the attackers proceed to inject malicious scripts into various places in the HTML. Some injections will trigger the script, while others simply display it, the researchers explained. The purpose of the script is to display a phishing form that steals sensitive data from the visitors.
Apparently, the victims’ full names, email addresses, phone numbers, employment history, education and other relevant information were taken. Sufficient information for a targeted spearphishing attack or even identity theft. Most victims are in the APAC part of the world, in countries such as Australia, Taiwan, China, Thailand, India and Vietnam.
After stealing the data, ResumeLooters tried to sell it on the dark web, Group-IB added. They offered it through two Telegram channels, using accounts with Chinese names. Even the tools they used were in Chinese, leading the researchers to conclude that ResumeLooters most likely come from China.
However, they do not appear to be sponsored by the state, as the aim of the campaign was material.
“In less than two months, we have identified another threat actor conducting SQL injection attacks on companies in the Asia-Pacific region,” said Nikita Rostovcev, senior analyst at the Advanced Persistent Threat Research Team, Group-IB.
“It is striking to see how some of the oldest but remarkably effective SQL attacks are still prevalent in the region. However, the ResumeLooters group’s tenacity stands out as they experiment with different methods of exploiting vulnerabilities, including XSS attacks. Furthermore, the gang’s attacks cover a large geographical area.”