Targeting job-search, government and gambling websites, two threat groups using SQL injection and XSS attacks are now under scrutiny.

A large-scale malicious group primarily targeting job search and retail websites in the Asia-Pacific region (APAC) has been uncovered. 

The group, dubbed ResumeLooters by threat researchers from Group-IB, has already successfully infected at least 65 websites between November and December 2023 through SQL injection and Cross-Site Scripting (XSS) attacks. Most of the gang’s victims (70%) are located in India (12), Taiwan (10), Thailand (9), Vietnam (7), China (3), Australia (2), the Philippines (1) and South Korea (1).  

ResumeLooters is confirmed to have stolen several databases containing 2,079,027 unique emails addresses and other personal data such as names, phone numbers, dates of birth, as well as information about job applicants’ work experience and employment history. The stolen data has then been offered for sale in Chinese-speaking Telegram groups dedicated to hacking and penetration testing. 

Operating since the beginning of 2023, ResumeLooters has been utilizing several penetration testing frameworks and open-source tools such as sqlmapAcunetixBeef FrameworkX-RayMetasploit, ARL, and Dirsearch. According to Nikita Rostovcev, Senior Analyst, Advanced Persistent Threat Research Team, Group-IB: “In less than two months, we have identified yet another threat actor conducting SQL injection attacks against companies in APAC. It is striking to see how some of the oldest yet remarkably effective SQL attacks remain prevalent in the region. However, the ResumeLooters group stands out as they experiment with diverse methods of exploiting vulnerabilities, including XSS attacks. Additionally, the gang’s attacks cover a vast geographical area.”

Diverse modus operandi

There has been a noticeable increase in threat actors in APAC. In December 2023, Group-IB reported on GambleForce, another group that has conducted over 20 SQL injection attacks against gambling and government websites in the region. 

Distribution of ResumeLooters' victims by country and sector
Source: Group-IB Threat Intelligence

Unlike GambleForce, which focuses solely on SQL injections, ResumeLooters has a more diverse modus operandi. In addition to SQL injection attacks, ResumeLooters have successfully executed XSS scripts on at least four legitimate job search websites. On one of these websites, the attackers had implanted a malicious script by creating a fake employer profile. As a result, the attackers had been able to steal the HTML code of the pages visited by the victims, including those with administrative access. 

Malicious XSS scripts were also intended to display phishing forms on legitimate resources. It is believed that the attackers’ main goal was to steal admin credentials. However, no evidence of successful theft of administrative credentials has been found so far.

To protect against injection attacks, organizations are advised to use parameterized or prepared statements instead of directly concatenating user input into SQL queries. It is essential to implement comprehensive input validation and sanitization on both the client and server sides. 

Performing regular security assessments and code reviews will help to identify and mitigate injection vulnerabilities.