Hackers steal data of 2 million in SQL injection, XSS attacks

Trending 3 weeks ago

Data Hand

A threat group named 'ResumeLooters' has stolen nan individual information of complete 2 cardinal occupation seekers aft compromising 65 morganatic occupation listing and unit sites utilizing SQL injection and cross-site scripting (XSS) attacks.

The attackers chiefly attraction connected nan APAC region, targeting sites successful Australia, Taiwan, China, Thailand, India, and Vietnam to bargain occupation seeker's names, email addresses, telephone numbers, employment history, education, and different applicable information.

According to Group-IB, which has been pursuing nan threat group since its beginning, successful November 2023, ResumeLooters attempted to waste nan stolen information done Telegram channels.

ResumeLooters banner

Compromising morganatic sites

ResumeLooters chiefly employs SQL injection and XSS to breach targeted sites, chiefly job-seeking and unit shops.

Their pen-testing shape progressive nan usage of open-source devices like:

  • SQLmap – Automates discovery and exploitation of SQL injection flaws, taking complete database servers.
  • Acunetix – Web vulnerability scanner identifying communal vulnerabilities for illustration XSS and SQL injection and providing remediation reports.
  • Beef Framework – Exploits web browser vulnerabilities, assessing nan information posture of a target via client-side vectors.
  • X-Ray – Detects web exertion vulnerabilities, revealing structure, and imaginable weaknesses.
  • Metasploit – Develops and executes utilization codification against targets, besides utilized for information assessments.
  • ARL (Asset Reconnaissance Lighthouse) – Scans and maps online assets, identifying imaginable vulnerabilities successful web infrastructure.
  • Dirsearch – Command-line instrumentality for brute-forcing directories and files successful web applications, uncovering hidden resources.

After identifying and exploiting information weaknesses connected target sites, ResumeLooters injects malicious scripts into galore locations successful a website's HTML.

Some of these injections will beryllium inserted to trigger nan script, but different locations, for illustration shape elements aliases anchor tags, will simply show nan injected script, arsenic shown below.​

Script injected connected nan target siteScript injected connected nan target site
Source: Group-IB

However, erstwhile decently injected, a malicious distant book will beryllium executed that displays phishing forms to bargain visitors' information.

Group-IB besides observed cases wherever nan attackers employed civilization onslaught techniques, for illustration creating clone employer profiles and posting clone CV documents to incorporate nan XSS scripts.

Malicious resume utilized for book injectionMalicious resume utilized for book injection
Source: Group-IB

Thanks to an opsec correction by nan attackers, Group-IB was capable to infiltrate nan database hosting nan stolen data, revealing that nan attackers managed to found administrator entree connected immoderate of nan compromised sites.

Open directory exposing stolen dataOpen directory exposing stolen data
Source: Group-IB

ResumeLooters conducts these attacks for financial gain, attempting to waste stolen information to different cybercriminals via astatine slightest 2 Telegram accounts that usage Chinese names, namely "渗透数据中心" (Penetration Data Center) and "万国数据阿力" (World Data Ali).

Although Group-IB does not explicitly corroborate nan attackers' origin, ResumeLooters trading stolen information successful Chinese-speaking groups and utilizing Chinese versions of tools, like X-Ray, make it highly probable that they are from China.