Hackers Exploit Job Sites to Steal Millions of User Data

A previously unknown threat actor was found to be targeting recruitment and retail companies in the APAC region, with a motive to harvest emails and other sensitive user information.

First detected in November 2023, the unknown hackers dubbed ‘’ResumeLooters’’ by the Singapore-based Group-IB, harvested data from 65 websites between November-December 2023.

By using SQL injection technique (SQLi) and cross-site scripting (XSS) infections into a few websites, the gang was discovered selling the extracted data on “Chinese-speaking, hacking-themed Telegram groups.”

‘’ResumeLooters tried inserting XSS scripts into all possible web forms of the targeted websites, hoping they would display phishing forms to obtain admin credentials,’’ Group-IB disclosed.

The stolen data is said to contain 2,188,444 user records, of which 510,259 data is from job search websites. These records consist of names, phone numbers, date of birth, employment history, email address, and other sensitive data. Moreover, it is believed that the campaign enabled hackers to successfully harvest more than two million unique email addresses.

Focussing on the APAC region, the campaign mainly targeted companies in India (12), Taiwan (10), Thailand (9), Vietnam (7), and China (3). Furthermore, Group-IB revealed that companies in Brazil, the USA, Turkey, Russia, Mexico, Italy, and some other non-APAC countries were also on the list of victims.

The identified companies were notified in order to contain the incident and prevent further damages.

Mainly relying on SQL injection via sqlmap as an initial vector, the gang also relied on other penetration testing tools. Applications like sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch were found on its servers.

According to the threat intelligence company, this is the second group in less than two months that was found ‘’conducting SQL injection attacks against companies in the Asia-Pacific region.’’ In December 2023, the firm discovered GambleForce, an SQL injection gang that attacked 20 websites in the region.