ResumeLooters Breach Millions of Resumes and Personal Data from Job Boards

A newly identified threat actor, ResumeLooters, has been orchestrating a series of targeted attacks against employment agencies and retail companies across the Asia-Pacific (APAC) region since early 2023, with the primary objective of pilfering sensitive data.

According to the findings, ResumeLooters have focused their efforts on job search platforms, compromising a staggering 65 websites between November and December 2023. The stolen data encompasses over 2 million user records, including email addresses, names, phone numbers, and dates of birth, alongside detailed employment histories and other personal information of job seekers.

The modus operandi of ResumeLooters primarily involves exploiting SQL injection vulnerabilities to infiltrate website databases, from which they extract valuable user data. This stolen information is then monetized through sales on Telegram channels operated by the threat actor.

Furthermore, the researcher has uncovered evidence of cross-site scripting (XSS) infections on legitimate job search websites, enabling the deployment of phishing pages aimed at harvesting administrator credentials. This sophisticated approach highlights the evolving tactics employed by ResumeLooters to maximize their impact and evade detection.

Notably, ResumeLooters is not the first threat actor to leverage SQL injection attacks in the APAC region, following in the footsteps of GambleForce. However, the scale and persistence of ResumeLooters’ operations underscore the urgent need for improved cybersecurity measures within the affected sectors.

The group’s arsenal includes a range of tools such as sqlmap, Metasploit, and dirsearch, enabling them to conduct reconnaissance, exploit vulnerabilities, and execute malicious payloads with alarming efficiency. Additionally, the presence of rogue JavaScript code further amplifies the threat posed by ResumeLooters, facilitating data exfiltration and redirection to credential harvesting pages.

The researcher’s analysis sheds light on the financial motivation behind ResumeLooters’ activities, as evidenced by their establishment of Telegram channels dedicated to selling stolen data. This underscores the lucrative nature of cybercrime and the need for robust defenses to safeguard against such malicious endeavors.

The prevalence of SQL injection attacks and XSS vulnerabilities underscores the importance of proactive cybersecurity measures and the adoption of best practices in website and database management. As ResumeLooters continue to evolve their tactics, organizations must remain vigilant and prioritize security to mitigate the risks posed by such sophisticated threats.

Be cautious when uploading personal information to job boards and ensure that the platforms you use prioritize data security and privacy. Use strong, unique passwords for job board accounts and consider limiting the amount of sensitive information you share online. Regularly monitor your credit report for any unusual activity and consider placing a fraud alert or credit freeze on your accounts if necessary.