'ResumeLooters' Attackers Steal Millions of Career Records

10 months ago 41
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Dark-haired man in a business suit typing at a laptop at a kitchen table

Source: Federico Caputo via Alamy Stock Photo

Attackers used SQL injection and cross-site scripting (XSS) to target at least 65 job-recruitment and retail websites with legitimate penetration-testing tools, stealing databases containing more than 2 million emails and other personal records of job seekers in just a month's time.

Dubbed "ResumeLooters" by researchers in Group-IB's Threat Intelligence Unit — who discovered the campaign — the group targeted mainly victims in India, Taiwan, Thailand, Vietnam, China, and Australia, stealing emails and other data containing personal information from people's resumes, researchers revealed in a blog post on Feb. 6. The data included names, phone numbers, and dates of birth, as well as information about job seekers’ experience and employment history.

All told, the group — believed to be operating since the beginning of 2023 — stole several databases containing 2,079,027 unique emails and other records in attacks that occurred between last November and December, the researchers found. While more than 70% of victims were in the Asia-Pacific (APAC) region, Group-IB also identified compromised companies in other regions, including Brazil, Italy, Mexico, Russia, Turkey, and the US.

Specifically, attackers targeted 26 retail companies and 19 job-seeking sites, as well as a handful of organizations in professional services, delivery, real estate, investment, and other industries. The group then put the stolen data up for sale on Chinese-speaking Telegram channels.

Cyberattacks Using Pen-Testing Tools

ResumeLooters' attack vector is similar to that of another group called GambleForce, which Group-IB discovered targeting APAC region in September. Like that group, attackers used a variety of publicly available penetration-testing tools to target and inject malicious script into websites. In the case of ResumeLooters, common tools included Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch.

"ResumeLooters is yet another example of how much damage can be made with just a handful of publicly available tools," senior threat analyst Nikita Rostovcev from Group-IB's advanced persistent threat (APT) research team wrote in the post. "Both GambleForce and ResumeLooters employ very straightforward attack methods."

The team's investigation began with the identification of a malicious server at 139.180.137[.]107, on which they found logs of several penetration-testing tools, including sqlmap, that revealed the attackers were targeting employment websites and retail companies.

The most common initial vector used by ResumeLooters is SQL injection via sqlmap, but in some cases attackers injected XSS scripts into legitimate job-search sites to carry out attacks, the researchers found. The attack occurs when the injection triggers the execution of a malicious remote script that displays a phishing form to steal visiting job seekers' data.

In one of its XSS attacks, ResumeLooters even created a fake employer profile on a legitimate recruitment website, injecting malicious XSS script into one of the fields in the profile. The profile also included a link to admin.cloudnetsafe[.]com, which the researchers believe could be another domain associated with the group, though it was inaccessible at the time the researchers analyzed it.

Evidence also suggested that ResumeLooters attempted to gain shell access on target systems to download and execute additional payloads, and try to find more data, while having full control of the victims' server. However, it's unclear if these attempts were successful, Rostovcev said.

Group-IB has notified the victims of the companies targeted in the attacks "so they could take all necessary steps to mitigate further damage," he added.

Job Seekers in the Cyber Crosshairs

Threat actors often target job seekers through various employment scams, due to the range of information that can be gleaned through communications with them, as well as the opportunity to sway them using social engineering.

Indeed, threat groups from North Korea in particular are adept at targeting job seekers worldwide using fake job offers aimed at stealing their personal info and credentials. Attackers also exploit social media platforms, such as Facebook, to target those seeking employment, especially for remote work.

Attacks like the ones by ResumeLooters and GambleForce are "easily avoidable," yet company websites can be compromised due to "poor security as well as inadequate database and website management practices," Rostovcev noted.

The campaign is a reminder to organizations that they must prioritize cybersecurity and stay vigilant against evolving threats, he said. To do this, Group-IB made several recommendations for organizations to prevent both SQL injection and XSS attacks.

For the former, organizations should use parameterized statements or prepared statements provided by their particular programming language or framework when linking together user input directly into SQL queries. "This helps to separate user input from SQL code," Rostovcev wrote.

Implementing a Web application firewall can detect and block SQL injection attempts, providing an additional layer of defense against various Web application attacks. Another tactic that can help prevent both SQL injection and XSS attacks is to validate and sanitize user inputs on both the client and server sides, ensuring that inputs adhere to expected formats and length constraints, according to Group-IB.

To prevent XSS attacks, the researchers suggested, organizations also can escape special characters to ensure that they are treated as literal text and not interpreted as code before rendering user-generated content.

Read Entire Article