Asia Pacific Job Boards Raided by “ResumeLooters” Hacking Group

An unusual hacking team that focuses on resumes has been on a spree in the Asia Pacific (APAC) region, compromising at least 65 websites and gathering up over half a million in total.

Resumes are not the full extent of the group’s interest, with over two million user data records and unique email addresses stolen by them during their run. However, the group seems to have a special interest in job search websites. These are then offered for sale on Telegram channels.

Resume hacking team uses SQL injection attacks successfully

The group’s primary technique is to deploy SQL injection attacks leading with the open source sqlmap tool, and with at least a few of the victim sites it deployed cross-site scripting (XSS) infections to capture administrator credentials via a phishing site.

It shows the greatest level of interest in APAC countries, with most of the websites it compromised being based in the region: India, Taiwan, Thailand, Vietnam, China, Australia, and Turkey. But it has at times ventured into other parts of the world including the U.S., Brazil, Russia, Mexico, and Italy. The group appears to be based in China given the Chinese-language Telegram channels it has set up to sell the stolen data.

The group is also not thought to be all that sophisticated; rather, it is deploying a collection of common open source tools to exploit a set of common oversights and weaknesses in sites of this type. These attacks are rooted in both web design issues and security lapses in managing databases.

Resumes are an overlooked target for hackers

It’s not uncommon for people to make their resumes public, so it is not a piece of data that is necessarily thought of as being sensitive information or a target for hackers. A resume with sufficient information can be quite valuable to an attacker, however, and there are a number of possible scenarios in which it can be sold or deployed.

The simplest possibility is that the resume will contain enough personal information to facilitate identity theft. While they don’t generally contain sensitive identification or financial information, they may provide important missing pieces when combined with information already available from other data leaks. Attackers may also use this information to approach family members of the victim with scams. And yet another possibility is that the information in the resume will be used to aid in spearphishing a colleague of the victim rather than the victim themselves, in a bid to gain access to an organization’s network.

Attackers have also been known to weaponize resumes in a more direct way. A seemingly legitimate resume may be sent to HR workers packed with malware attachments or malicious links; the fact that it comes from an expected or familiar party and is packed with legitimate information may cause them to let their guard down.

While resumes are still not generally one of the more valuable pieces of information in the criminal underground, this incident demonstrates that they are worth some money when packaged together in significant quantities.