Millions of people looking for a new job have had their personal data stolen and put for sale on dark web chat groups after several sites were breached.
Cybersecurity experts from GroupIB have released a new report outlining their research into a relatively new threat actor called ResumeLooters and how it was able to sell a huge database on the dark web.
ResumeLooters first emerged in November 2023, when it successfully compromised 65 job listing and retail sites using two techniques SQL injection, and crosssite scripting (XSS). With the help of tools like SQLmap, Acunetix, XRay, or Metasploit, the attackers were able to scan the web for flaws, automate detection and exploitation of SQL injection flaws, develop and execute exploit code against targets, and more.
In it for the money
After successfully pinpointing and exploiting flaws on the sites, the attackers proceed to inject malicious scripts into different places in the HTML. Some injections will trigger the script, while others will simply display it, the researchers explained. The script’s goal is to display a phishing form that steals sensitive data from the visitors.
Apparently, the victims have had their full names, email addresses, phone numbers, employment history, education, and other relevant information, all taken. Plenty of information for a targeted spearphishing attack, or even identity theft. Most victims are located in the APAC part of the world, in countries such as Australia, Taiwan, China, Thailand, India, and Vietnam.
After stealing the data, ResumeLooters tried to sell it on the dark web, GroupIB added. They offered it in two Telegram channels, using accounts with Chinese names. Even the tools they used were in Chinese, prompting the researchers to conclude that ResumeLooters are most likely from China.
They don’t seem to be statesponsored, however, as the goal of the campaign was material.
“It is striking to see how some of the oldest yet remarkably effective SQL attacks remain prevalent in the region. However, the tenacity of the ResumeLooters group stands out as they experiment with diverse methods of exploiting vulnerabilities, including XSS attacks. Additionally, the gang’s attacks cover a vast geographical area.”