Hackers named “Resumelooters” have breached certain websites and stolen the sensitive data of people who applied for jobs. The stolen data was further sold on dark web chat groups. The hackers used Telegram groups with a Chinese name, and the data was encrypted in the Chinese language, which means that these hackers are most likely to be Chinese.
The report by Group-IB shows that the breached information includes names, phone numbers, employment history, email addresses, education, and other relevant information, all taken. These hackers targeted the victims from different geographical areas, which include India, Australia, Taiwan, Vietnam, and China. Mostly the APAC (Asia-Pacific) was targeted by these cybercriminals.
These cybercriminals used SQL injection attacks to steal the user database from those targeted websites. The reports reflect that 65 websites were compromised between November 2023 and December 2023. It was also observed that Cross-Site Scripting (XSS) was also used by these hackers. Let us understand what these attacks are below.
- SQL Injection Attack: SQL injection is a code-based vulnerability used by cybercriminals to access the database by dodging the security measures of applications. Further, SQL queries are used to manipulate the information in the database.
- Cross-Site Scripting (XSS): It is a web security vulnerability that occurs when cybercriminals inject malicious scripts into web pages that are viewed by other users. When the user interacts with the compromised website, malicious scripts are injected into their browser, and the attacker can fully exploit the interaction.
The hackers used XSS scripts in all the forms to execute them on the administrators’ devices to obtain their credentials. They were able to execute the XSS script on devices that gave them administrative access, which allowed them to steal the HTML code of pages that the victims were visiting. However, there is still no confirmation in the report about the admin credential theft.
Other Tools Used by the Hackers
Tools like Metasploit, X-Ray, and Dirsearch were also observed hosted on the hacker’s server. Along with these famous open-source tools, the report also indicated that some self-written scripts were also designed by hackers to connect to targeted websites and parse relevant data.
However, there is no evidence of how the attackers obtained the initial data for data parsing on these websites, but using this method, they were able to attack a few job search websites and parse their data.
Storage of the Stolen Data
The Hackers, after stealing the data using sqlmap, used the open directory available on their server for storing the stolen data, which included cookies, the source code page (HTML), etc. However, they failed to disable the directory listing on a web server. This is the reason they were exposed to the world.
Conclusion
“Resumelooters” have been involved in these cybercrimes for a long time, but now they are doing it on a big level and with somewhat perfect planning and attacking the vulnerabilities that are neglected by the normal individual. In 2023, Resumelooters attacked and compromised around 65 websites. Common Job-seeking individuals are targeted and exploited by these cybercriminals.
This incident serves as a reminder of how simple online tools can be used in such big cybercrimes and how easily cybercriminals can manipulate and exploit on such a huge level. We hope you find this information useful. Do share it with your friends who are looking for jobs or applying for another job. Also, do comment on your thoughts about this incident in the comment section below.
ExcelliMatrix provides multiple services, including our famous Cybersecurity support. We have a team of experts who will guide you or your business through the rigorous process of cybersecurity. With our latest cybersecurity measures, you and your business will both be protected. For a free consultation, please contact us at 406-646-2102 or email us at sales@excellimatrix.com.
Subscribe to our weekly newsletter for more technology and security blogs. Stay connected with us on LinkedIn and Facebook, and follow us on Twitter for more information like this.
