A large-scale attack campaign attributed to the ResumeLotters threat group has come to the notice of Group-IB researchers. The campaign was active between November and December 2023 and was successfully launched against 65 websites to steal over two million unique emails.
Tactics used
According to researchers, the group leveraged SQL injection and Cross-Site Scripting (XSS) attacks to target recruitment and retail websites in Asia-Pacific.
The threat actor used SQL injection to retrieve databases containing close to 2.2 million rows of data, more than 500,000 of which represented user data from employment websites.
Whereas in some cases ResumeLooters used XSS attacks to load malicious scripts onto legitimate job search sites.
In one of its XSS attacks, the group created a fake employer profile on a legitimate recruitment site to trick job seekers into sharing their personal information.
These attacks were launched using various penetration testing tools such as sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch.
A global attack
The stolen data, which comprised names, phone numbers, dates of birth, and information about job seekers, were put up for sale on Chinese-speaking hacking-themed Telegram groups.
Over 70% of the affected victims are located in India, Taiwan, Thailand, and Vietnam, followed by some companies in Brazil, the U.S., Turkey, Russia, Mexico, and Italy.
Conclusion
The discovery of a new campaign serves as a reminder to secure databases and websites—which can be exploited by publicly available tools—by employing adequate management practices. Moreover, organizations must take necessary precautions to counter SQL injection and XSS attacks to prevent falling victim to such threats.