Data thieves loot job ad websites across Asia


A new cybercriminal gang nicknamed ResumeLooters has been spotted targeting dozens of websites in Asia associated with online retail and job ads. The purpose appears to be stealing and harvesting user data.

Group-IB’s threat intelligence analysts say they observed 65 websites from Asian nations including India, Taiwan, Thailand, and Vietnam attacked by ResumeLooters, who used cross-site scripting (XSS) to remotely inject malicious code into their systems.

This allowed the group to manipulate the sequence query language (SQL) system used by computers to ‘talk’ to each other to launch the attacks on the unnamed target websites, resulting in the theft of names, phone numbers, dates of birth, and email addresses.

Group-IB adds that the gang was further able to learn details about jobseekers such as their employment history, with about a quarter of the data stolen during the campaign taken from job search websites.

Not only that, but through the cunning deployment of fake resumes, the aptly named cyber gang was able lure retailers presumably looking to hire, adding them to the tally of victims.

Such a haul of data could add up to a powerful weapon in the hands of fraudsters, so while this crime may not have immediate repercussions, it could well lead to loss of money for victims further down the line.

The attacks took place over the last two months of 2023, suggesting that ResumeLooters could be quite prolific if left unchecked. Group-IB adds that it first perceived suspected activities by the gang at the beginning of last year.

Nor has ResumeLooters confined its activities to Asia. Group-IB says it also spotted its digital footprint stamped across targets in Brazil, Italy, the US, Turkey, Russia, and Mexico.

What appears unclear is where the gang itself originates from – given the wide spread of victim locations, it is unlikely to be a nation-state group motivated by any political ideology and may be a for-profit outfit with no fixed affiliation.

At the time of writing, Cybernews has reached out to Group-IB for further information in this regard and is awaiting a response.

“ResumeLooters is yet another example of how much damage can be done with just a handful of publicly available tools,” said Group-IB.

Describing the attacks as “very straightforward” and “easily avoidable,” it added: “These attacks are fueled by poor security as well as inadequate database and website management practices. This newly discovered malicious campaign serves as a reminder of the need for organizations to prioritize cybersecurity and stay vigilant against evolving threats.”