A new cybersecurity threat actor, identified as ResumeLooters, has emerged, targeting employment agencies and retail companies predominantly in the Asia-Pacific (APAC) region since early 2023. This group aims to compromise sensitive data, focusing on job search platforms and the unauthorized collection of resumes.
According to research from Group-IB, a cybersecurity firm based in Singapore, the hacking group has successfully breached as many as 65 job-related websites between November and December 2023. The scale of the data theft is significant, with estimates indicating a total of approximately 2,188,444 compromised user records, including 510,259 unique entries drawn from job platform databases. Remarkably, the dataset contains over two million distinct email addresses.
Security researcher Nikita Rostovcev elaborated that ResumeLooters employs SQL injection techniques to exploit vulnerabilities in these websites, allowing the theft of extensive user databases. The compromised information is likely to encompass personal details such as names, phone numbers, email addresses, dates of birth, and detailed resumes outlining job seekers’ experiences and employment histories.
Once stolen, this data is marketed within Telegram channels, demonstrating the monetization aspect of these breaches. Additionally, Group-IB has detected evidence of cross-site scripting (XSS) vulnerabilities on several authenticated job search sites, enabling the distribution of phishing pages designed to compromise administrator credentials further.
ResumeLooters represents the second instance of SQL injection attacks targeting the APAC region, following the public exposure of another group named GambleForce in late December 2023. The majority of the breached websites are based in countries like India, Taiwan, Thailand, Vietnam, China, Australia, and Turkey, although breaches have also been noted in Brazil, the U.S., Turkey, Russia, Mexico, and Italy.
The modus operandi of this group involves tools like the open-source sqlmap for conducting SQL injection attacks, alongside payloads from tools such as BeEF for executing JavaScript designed for data collection and redirecting users to credential-harvesting sites. Group-IB’s analysis further indicates the presence of other hacking tools such as Metasploit and dirsearch within ResumeLooters’ infrastructure, coupled with directories containing stolen data.
This campaign is likely driven by financial motivations, as indicated by ResumeLooters’ establishment of two Telegram channels for selling data. Rostovcev remarked on the concerning effectiveness of long-standing SQL attacks, emphasizing the need for enhanced security practices in web management and database handling. The group’s ability to explorer varied exploitation techniques, including XSS, reflects a worrying trend in the evolution of cybersecurity threats across the region.
