Millions of people looking for a new job have had their personal data stolen and put for sale on dark web chat groups after several sites were breached.
Cybersecurity experts from Group-IB have released a new report outlining their research into a relatively new threat actor called ResumeLooters and how it was able to sell a huge database on the dark web.
ResumeLooters first emerged in November 2023, when it successfully compromised 65 job listing and retail sites using two techniques - SQL injection, and cross-site scripting (XSS). With the help of tools like SQLmap, Acunetix, X-Ray, or Metasploit, the attackers were able to scan the web for flaws, automate detection and exploitation of SQL injection flaws, develop and execute exploit code against targets, and more.
In it for the money
After successfully pinpointing and exploiting flaws on the sites, the attackers proceed to inject malicious scripts into different places in the HTML. Some injections will trigger the script, while others will simply display it, the researchers explained. The script’s goal is to display a phishing form that steals sensitive data from the visitors.
Apparently, the victims have had their full names, email addresses, phone numbers, employment history, education, and other relevant information, all taken. Plenty of information for a targeted spear-phishing attack, or even identity theft. Most victims are located in the APAC part of the world, in countries such as Australia, Taiwan, China, Thailand, India, and Vietnam.
After stealing the data, ResumeLooters tried to sell it on the dark web, Group-IB added. They offered it in two Telegram channels, using accounts with Chinese names. Even the tools they used were in Chinese, prompting the researchers to conclude that ResumeLooters are most likely from China.
They don’t seem to be state-sponsored, however, as the goal of the campaign was material.
“In less than two months, we have identified yet another threat actor conducting SQL injection attacks against companies in the Asia-Pacific region,” said Nikita Rostovcev, Senior Analyst at the Advanced Persistent Threat Research Team, Group-IB.
“It is striking to see how some of the oldest yet remarkably effective SQL attacks remain prevalent in the region. However, the tenacity of the ResumeLooters group stands out as they experiment with diverse methods of exploiting vulnerabilities, including XSS attacks. Additionally, the gang’s attacks cover a vast geographical area.”
More from TechRadar Pro
- Top password manager denies its entire database can be stolen
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.