A recent cybersecurity attack has emerged targeting at least 65 job-recruitment and retail websites across multiple countries, with hackers stealing databases containing over 2 million emails and other personal records of job seekers within a month’s time. Dubbed “ResumeLooters” by researchers at Group-IB’s Threat Intelligence Unit, the culprits used SQL injection and cross-site scripting (XSS) techniques to carry out the attacks, stealing the personal information of job seekers from countries including India, Taiwan, Thailand, Vietnam, China, Australia, Brazil, Italy, Mexico, Russia, Turkey, and the United States.
Group-IB’s advanced persistent threat (APT) research team uncovered the campaign after identifying a malicious server linked to several penetration-testing tools that pointed to attacks on employment websites and retail companies. The group used a variety of publicly available tools, including Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch, to execute the attacks. Through SQL injection via sqlmap and XSS script injections into legitimate job-search sites, the attackers managed to gain access to sensitive data from unsuspecting job seekers.
This recent attack is reminiscent of another group called GambleForce, which Group-IB discovered targeting the Asia-Pacific (APAC) region in September. Both groups exploited common tools and straightforward attack methods to carry out their malicious activities. Attackers from ResumeLooters also attempted to gain shell access on target systems to download and execute additional malicious payloads, while also trying to find more data with full control of the victims’ servers.
Group-IB has urged companies and organizations to prioritize cybersecurity and stay alert to evolving threats, particularly in the areas of SQL injection and XSS attacks. The researchers recommended several security measures to prevent such attacks, including using parameterized statements or prepared statements, implementing a web application firewall, validating and sanitizing user inputs, and escaping special characters to prevent XSS attacks.
The cybersecurity campaign conducted by ResumeLooters serves as a reminder to companies to take appropriate measures to safeguard their databases and websites, as well as to notify potential victims in case of a breach. The use of publicly available penetration-testing tools highlights the importance of robust cybersecurity measures to protect sensitive data against malicious actors looking to exploit vulnerabilities in business websites. With the rise of cyber threats targeting job seekers and companies, it is essential for organizations to adopt strong security practices to mitigate the risk of data breaches and cyber-attacks.