The use of SQL injection and XSS has become the main weapon in the hands of attackers.
The ResumeLooters hacker group has committed large-scale identity theft of more than two million job seekers, hacking 65 legitimate job search sites and online retail stores using SQL injection and cross-site scripting (XSS) attacks.
The attackers main focus is on the Asia-Pacific region, including Australia, Taiwan, China, Thailand, India and Vietnam. The list of stolen data includes names, email addresses, phone numbers, employment history, education and other information of applicants.
According to Group-IB, a company that has been monitoring the actions of this group since its appearance in November 2023, ResumeLooters sell stolen data through specially created channels in Telegram.
In their attacks, the group used open-source tools such as SQLmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch. These tools helped detect and exploit vulnerabilities on target sites, after which ResumeLooters introduced malicious scripts into the HTML code of the sites.
Especially interesting is that the attackers used fake employer profiles and posted fake resume documents containing XSS scripts. This allowed them to steal information from site visitors through phishing forms.
Thanks to an error in the attackers operational security, Group-IB specialists managed to break into the database with stolen data and reveal that the attackers gained administrative access to some of the compromised sites.
ResumeLooters carry out their attacks for financial gain by selling data to other cybercriminals using Chinese pseudonyms. Although Group-IB does not directly confirm the origin of the attackers, selling stolen data to Chinese-speaking groups and using Chinese versions of the tools makes it highly likely that the ResumeLooters attackers are indeed of Chinese origin.
The ResumeLooters hacker group has committed large-scale identity theft of more than two million job seekers, hacking 65 legitimate job search sites and online retail stores using SQL injection and cross-site scripting (XSS) attacks.
The attackers main focus is on the Asia-Pacific region, including Australia, Taiwan, China, Thailand, India and Vietnam. The list of stolen data includes names, email addresses, phone numbers, employment history, education and other information of applicants.
According to Group-IB, a company that has been monitoring the actions of this group since its appearance in November 2023, ResumeLooters sell stolen data through specially created channels in Telegram.
In their attacks, the group used open-source tools such as SQLmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch. These tools helped detect and exploit vulnerabilities on target sites, after which ResumeLooters introduced malicious scripts into the HTML code of the sites.
Especially interesting is that the attackers used fake employer profiles and posted fake resume documents containing XSS scripts. This allowed them to steal information from site visitors through phishing forms.
Thanks to an error in the attackers operational security, Group-IB specialists managed to break into the database with stolen data and reveal that the attackers gained administrative access to some of the compromised sites.
ResumeLooters carry out their attacks for financial gain by selling data to other cybercriminals using Chinese pseudonyms. Although Group-IB does not directly confirm the origin of the attackers, selling stolen data to Chinese-speaking groups and using Chinese versions of the tools makes it highly likely that the ResumeLooters attackers are indeed of Chinese origin.
