The Great Data Pilferage: Over Two Million Records Stolen by ResumeLooters

Between November and December 2023, the hacking collective known as ResumeLooters purloined over two million email addresses and other personal data from 65 websites, primarily targeting job search platforms.

The malefactors focused their efforts predominantly on countries within the Asia-Pacific region, launching attacks on websites in Australia, Taiwan, China, Thailand, India, and Vietnam.

According to analysts at Group-IB, the group primarily targeted e-commerce and job search sites, but victims were also found within the professional services, delivery, real estate, and investment sectors.

Experts estimate that the data stolen by the hackers includes 2,188,444 records, of which 510,259 were taken from job search websites.

ResumeLooters predominantly employ SQL injections and XSS vulnerabilities in their attacks to pilfer names, email addresses, phone numbers, employment histories, educational details, and other user information from compromised sites. This information is then offered for sale in Telegram channels owned by the hackers.

Given that the group’s Telegram channel names utilize the Chinese language, and the hackers employ Chinese versions of some tools (e.g., X-Ray), researchers surmise that the malefactors may be based in China.

During their attacks, the group utilizes the following open-source tools:

• SQLmap for automatic detection and exploitation of SQL injections, capturing database servers.
• Acunetix, a vulnerability scanner that identifies common issues such as XSS and SQL injections, providing information on their remediation.
• Beef Framework to exploit browser vulnerabilities, assessing the client-side security of the target.
• X-Ray to detect vulnerabilities in web applications, revealing their structure and potential weaknesses.
• Metasploit, well-known for assessing vulnerability.
• ARL (Asset Reconnaissance Lighthouse) to scan and map network resources, identifying potential vulnerabilities in the network infrastructure.
• Dirsearch, a command-line tool for brute-forcing directories and files in web applications, discovering hidden resources.

After identifying and exploiting vulnerabilities on target sites, ResumeLooters inject malicious scripts into the code of the resources. Some of these injections are indeed used to display phishing forms to steal visitor data, while in some instances, the malicious code may be displayed as is, as evident in the screenshot below.

Furthermore, Group-IB notes that in some cases, the offenders employed other attack methods, including creating fake employer profiles and posting counterfeit resumes containing XSS scripts.

Thanks to an error made by the malefactors, Group-IB researchers were able to penetrate the database storing the stolen data by ResumeLooters. It was discovered that the offenders had even managed to gain administrator access to some of the hacked sites.