A hacking group known as ResumeLooters has since the beginning of 2023 stepped up its attacks on recruitment agencies and retail companies, mainly in the Asia Pacific (APAC) region, with the aim of stealing sensitive data. According to Group-IB, 65 websites were compromised between November and December 2023, from which more than 2 million records of user data were stolen, including 510,259 resumes from job search sites.
ResumeLooters use SQL injections to steal user databases containing names, phone numbers, email addresses, dates of birth, and information about work experience and employment history. The stolen data is then put up for sale in Telegram channels and chat rooms. In addition, a cross-site scripting (XSS) infection was discovered on several legitimate job search websites, resulting in the display of phishing pages to collect administrative credentials.
Most of the websites attacked are located in India, Taiwan, Thailand, Vietnam, China, Australia and Turkey, but there have also been reports of compromise from Brazil, the US, Russia, Mexico and Italy. ResumeLooters use the open-source tool sqlmap to perform SQL injections, as well as other tools such as Metasploit, dirsearch, and xray to extract and execute additional data.
These attacks are caused by weak security and inadequate database and website management practices. Cybersecurity researchers point out that even some of the oldest SQL attack methods remain extremely effective in the region, but the persistence of the ResumeLooters group stands out as they experiment with different methods of exploiting vulnerabilities.