Job seekers beware — hackers are exploiting SQL flaws to steal data on millions of victims

Pls share this post

Listen to this article

Millions of people looking for a new job have had their personal data stolen and put for sale on dark web chat groups after several sites were breached.

Cybersecurity experts from Group-IB have released a new report outlining their research into a relatively new threat actor called ResumeLooters and how it was able to sell a huge database on the dark web.

ResumeLooters first emerged in November 2023, when it successfully compromised 65 job listing and retail sites using two techniques – SQL injection, and cross-site scripting (XSS). With the help of tools like SQLmap, Acunetix, X-Ray, or Metasploit, the attackers were able to scan the web for flaws, automate detection and exploitation of SQL injection flaws, develop and execute exploit code against targets, and more.

READ ALSO  How businesses can adapt to consumers’ changing digital needs

In it for the money

After successfully pinpointing and exploiting flaws on the sites, the attackers proceed to inject malicious scripts into different places in the HTML. Some injections will trigger the script, while others will simply display it, the researchers explained. The script’s goal is to display a phishing form that steals sensitive data from the visitors. 

Apparently, the victims have had their full names, email addresses, phone numbers, employment history, education, and other relevant information, all taken. Plenty of information for a targeted spear-phishing attack, or even identity theft. Most victims are located in the APAC part of the world, in countries such as Australia, Taiwan, China, Thailand, India, and Vietnam.

AI helps the world's biggest tech firms smash $10 trillion market capitalization ceiling — Nvidia replaces Facebook as the new kid on the block while Microsoft displaces Apple at the helm

After stealing the data, ResumeLooters tried to sell it on the dark web, Group-IB added. They offered it in two Telegram channels, using accounts with Chinese names. Even the tools they used were in Chinese, prompting the researchers to conclude that ResumeLooters are most likely from China.

They don’t seem to be state-sponsored, however, as the goal of the campaign was material.

“In less than two months, we have identified yet another threat actor conducting SQL injection attacks against companies in the Asia-Pacific region,” said Nikita Rostovcev, Senior Analyst at the Advanced Persistent Threat Research Team, Group-IB. 

“It is striking to see how some of the oldest yet remarkably effective SQL attacks remain prevalent in the region. However, the tenacity of the ResumeLooters group stands out as they experiment with diverse methods of exploiting vulnerabilities, including XSS attacks. Additionally, the gang’s attacks cover a vast geographical area.”

READ ALSO  Could this be the lightest Core Ultra i7 laptop right now? Dynabook R9 weighs 1Kg and even comes with a LAN port — shame it is only on sale in Japan

More from TechRadar Pro


Pls share this post
Previous articleLankford claps back at Musk over border bill, says he should focus on recalled Teslas
Next articleTaylor Swift quietly downsizes to one private jet