Employment companies and retail firms mainly situated within the Asia-Pacific (APAC) area have been focused by a beforehand undocumented menace actor often called ResumeLooters since early 2023 with the aim of stealing delicate knowledge.
Singapore-headquartered Group-IB stated the hacking crew’s actions are geared in the direction of job search platforms and the theft of resumes, with as many as 65 web sites compromised between November 2023 and December 2023.
The stolen recordsdata are estimated to include 2,188,444 consumer knowledge information, of which 510,259 have been taken from job search web sites. Over two million distinctive e mail addresses are current inside the dataset.
“Through the use of SQL injection assaults in opposition to web sites, the menace actor makes an attempt to steal consumer databases that will embrace names, telephone numbers, emails, and DoBs, in addition to details about job seekers’ expertise, employment historical past, and different delicate private knowledge,” security researcher Nikita Rostovcev stated in a report shared with The Hacker Information.
“The stolen knowledge is then put up on the market by the menace actor in Telegram channels.”
Group-IB stated it additionally uncovered proof of cross-site scripting (XSS) infections on at the very least 4 reputable job search web sites which might be designed to load malicious scripts chargeable for displaying phishing pages able to harvesting administrator credentials.
ResumeLooters is the second group after GambleForce that has been discovered staging SQL injection assaults within the APAC area since late December 2023.
A majority of the compromised web sites are primarily based in India, Taiwan, Thailand, Vietnam, China, Australia, and Turkey, though compromises have additionally been reported from Brazil, the U.S., Turkey, Russia, Mexico, and Italy.
The modus operandi of ResumeLooters entails the usage of the open-source sqlmap instrument to hold out SQL injection assaults and drop and execute further payloads such because the BeEF (quick for Browser Exploitation Framework) penetration testing instrument and rogue JavaScript code designed to assemble delicate knowledge and redirect customers to credential harvesting pages.
The cybersecurity firm’s evaluation of the menace actor’s infrastructure reveals the presence of different instruments like Metasploit, dirsearch, and xray, alongside a folder internet hosting the pilfered knowledge.
The marketing campaign seems to be financially motivated, given the truth that ResumeLooters have arrange two Telegram channels named 渗透数据中心 and 万国数据阿力 final 12 months to promote the knowledge.
“ResumeLooters is yet one more instance of how a lot harm might be made with only a handful of publicly accessible instruments,” Rostovcev stated. “These assaults are fueled by poor security in addition to insufficient database and web site administration practices.”
“It’s putting to see how a number of the oldest but remarkably efficient SQL assaults stay prevalent within the area. Nonetheless, the tenacity of the ResumeLooters group stands out as they experiment with various strategies of exploiting vulnerabilities, together with XSS assaults.”
