Employment agencies and retail companies chiefly located in the Asia-Pacific (APAC) region have been targeted by a previously undocumented threat actor known as ResumeLooters since early 2023 with the goal of stealing sensitive data.
Singapore-headquartered Group-IB said the hacking crew's activities are geared towards job search platforms and the theft of resumes, with as many as 65 websites compromised between November 2023 and December 2023.
The stolen files are estimated to contain 2,188,444 user data records, of which 510,259 have been taken from job search websites. Over two million unique email addresses are present within the dataset.
"By using SQL injection attacks against websites, the threat actor attempts to steal user databases that may include names, phone numbers, emails, and DoBs, as well as information about job seekers' experience, employment history, and other sensitive personal data," security researcher Nikita Rostovcev said in a report shared with The Hacker News.
"The stolen data is then put up for sale by the threat actor in Telegram channels."
Group-IB said it also uncovered evidence of cross-site scripting (XSS) infections on at least four legitimate job search websites that are designed to load malicious scripts responsible for displaying phishing pages capable of harvesting administrator credentials.
ResumeLooters is the second hacking group after GambleForce that has been found staging SQL injection attacks in the APAC region since the latter's public disclosure in late December 2023.
A majority of the compromised websites are based in India, Taiwan, Thailand, Vietnam, China, Australia, and Turkey, although compromises have also been reported from Brazil, the U.S., Turkey, Russia, Mexico, and Italy.
The modus operandi of ResumeLooters involves the use of the open-source sqlmap tool to carry out SQL injection attacks and drop and execute additional payloads such as the BeEF (short for Browser Exploitation Framework) penetration testing tool and rogue JavaScript code designed to gather sensitive data and redirect users to credential harvesting pages.
The cybersecurity company's analysis of the threat actor's infrastructure reveals the presence of other tools like Metasploit, dirsearch, and xray, alongside a folder hosting the pilfered data.
The campaign appears to be financially motivated, given the fact that ResumeLooters have set up two Telegram channels named 渗透数据中心 and 万国数据阿力 as of last year to sell the information.
"ResumeLooters is yet another example of how much damage can be made with just a handful of publicly available tools," Rostovcev said. "These attacks are fueled by poor security as well as inadequate database and website management practices."
"It is striking to see how some of the oldest yet remarkably effective SQL attacks remain prevalent in the region. However, the tenacity of the ResumeLooters group stands out as they experiment with diverse methods of exploiting vulnerabilities, including XSS attacks."
