Group-IB identified a large-scale malicious group dubbed ResumeLooters by Group-IB’s Threat Intelligence unit that targets job search and retail websites of companies in the Asia-Pacific region, primarily in India, Taiwan, Thailand, Vietnam, China, and Australia.
Selling stolen data
The malicious player successfully infected at least 65 websites from November to December 2023 through SQL injection and Cross-Site Scripting (XSS) attacks, stealing databases containing 2,079,027 unique emails and other job seeker records. ResumeLooters sold the data in Telegram channels. Group-IB notified victims to prevent further damage.
SQL attacks
“It is striking to see how some of the oldest yet remarkably effective SQL attacks remain prevalent in the region. However, the tenacity of the ResumeLooters group stands out as they experiment with diverse methods of exploiting vulnerabilities, including XSS attacks,” says Nikita Rostovcev, senior analyst at the Advanced Persistent Threat Research Team, Group-IB.
Group IB found that ResumeLooters injected malicious SQL queries into 65 job search, retail, and other websites and retrieved 2,188,444 rows, of which 510,259 were user data from employment websites.
Preventing injection attacks
With a notable increase of threat actors in APAC, Group IB recommends using parameterized or prepared statements instead of directly concatenating user input into SQL queries to protect against injection vulnerabilities.
Implementing comprehensive input validation and sanitization on both the client and server sides and performing regular security assessments and code reviews can help mitigate injection attacks.