Stealing your career: Group-IB uncovers ResumeLooters’ data thefts

Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, identified a large-scale malicious campaign primarily targeting job search and retail websites of companies in the Asia-Pacific region. The group, dubbed ResumeLooters by Group-IB’s Threat Intelligence unit, successfully infected at least 65 websites between November and December 2023 through SQL injection and Cross-Site Scripting (XSS) attacks. Most of the gang’s victims were found to be located in India, Taiwan, Thailand, Vietnam, China, and Australia.

ResumeLooters is confirmed to have stolen several databases containing 2,079,027 unique emails and other records, such as names, phone numbers, dates of birth, as well as information about job seekers’ experience and employment history. The stolen data was then offered for sale by ResumeLooters in Telegram channels. Group-IB issued notifications to the identified victims so they could take necessary measures to mitigate further damage.

Operating since the beginning of 2023, ResumeLooters has been utilizing several penetration testing frameworks and open-source tools, such as sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch. As a result, the gang was able to inject malicious SQL queries into 65 job search, retail and other websites and retrieve a total of 2,188,444 rows, of which 510,259 were user data from employment websites.

Over 70% of known ResumeLooters’ victims are located in the Asia-Pacific region. The gang is primarily focused on India (12 victims), Taiwan (10), Thailand (9), Vietnam (7), China (3), Australia (2), the Philippines (1), South Korea (1), and Japan (1). However, compromised websites have also been identified outside of APAC, including in Brazil, the USA, Turkey, Russia, Mexico, and Italy.

Group-IB’s researchers have established two Telegram accounts associated with the threat actor. Both accounts have been used to offer the stolen data for sale in Chinese-speaking Telegram groups dedicated to hacking and penetration testing.

“In less than two months, we have identified yet another threat actor conducting SQL injection attacks against companies in the Asia-Pacific region. It is striking to see how some of the oldest yet remarkably effective SQL attacks remain prevalent in the region. However, the tenacity of the ResumeLooters group stands out as they experiment with diverse methods of exploiting vulnerabilities, including XSS attacks. Additionally, the gang’s attacks cover a vast geographical area.”

Nikita Rostovcev

Senior Analyst at the Advanced Persistent Threat Research Team

There is a noticeable increase in the interest of threat actors in the Asia-Pacific region. In December 2023, Group-IB issued a report about GambleForce, another group which conducted over 20 SQL injection attacks against gambling and government websites in the region. Unlike GambleForce, which focuses solely on SQL injections, ResumeLooters has a more diverse modus operandi. In addition to SQL injection attacks, they have successfully executed XSS scripts on at least four legitimate job search websites. On one of these websites, the attackers implanted a malicious script by creating a fake employer profile. As a result, the attackers were able to steal the HTML code of the pages visited by the victims, including those with administrative access. Malicious XSS scripts were also intended to display phishing forms on legitimate resources. It is believed that the attackers’ main goal was to steal admin credentials. However, no evidence of successful theft of administrative credentials was found.

To protect against injection attacks, companies are recommended to use parameterized or prepared statements instead of directly concatenating user input into SQL queries. It is essential to implement comprehensive input validation and sanitization on both the client and server sides. Performing regular security assessments and code reviews helps to identify and mitigate injection vulnerabilities.

The comprehensive examination of ResumeLooters’ malicious infrastructure, tools, and tactics, along with the full list of indicators of compromise, is available in Group-IB’s latest blog post.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.