A cybersecurity firm called Group-IB has recently uncovered a significant cyber attack campaign targeting employment agencies and retail firms in the Asia-Pacific (APAC) region. This campaign, known as “ResumeLooters,” aims to steal confidential user information by exploiting vulnerabilities in the job-seeking process [6].


Between November and December 2023 [2] [6], the attackers successfully compromised at least 65 websites. Over 70% of the known victims are located in the APAC region, with a particular focus on India, Taiwan [1] [3] [4] [5] [7], Thailand [1] [3] [4] [5] [7], and Vietnam [1] [3] [4] [5] [7]. The attackers, who go by the name “ResumeLooters,” primarily employ SQL injection (SQLi) attacks and cross-site scripting (XSS) techniques to compromise the websites. Their main target is user databases, where they steal sensitive data such as names, phone numbers [1] [3] [5] [6] [7], emails [1] [2] [3] [4] [5] [6] [7], and employment history [1] [5] [6]. In total, they have managed to steal over two million unique email addresses.

The stolen data is then sold in Chinese-speaking hacking-themed Telegram groups [7]. To gain access to the compromised sites, the attackers utilize various pen-testing tools, including sqlmap [1] [2] [6] [7], Acunetix [1] [2] [3] [5] [6] [7], and Metasploit [2] [3] [5], to scan the web for vulnerabilities and exploit them [5]. Once inside, they inject malicious scripts that display phishing forms to steal additional data from visitors [5].

The victims of this campaign are primarily located in the APAC region, including countries like Australia [5], Taiwan [1] [3] [4] [5] [7], China [3] [4] [5], Thailand [1] [3] [4] [5] [7], India [1] [3] [4] [5] [7], and Vietnam [1] [3] [4] [5] [7]. However, compromised websites have also been found in other parts of the world [2], such as Brazil [2], the USA [2], Turkey [2], and Russia [2]. The attackers attempt to sell the stolen data on the dark web using Chinese accounts and tools [5], suggesting they are likely from China [5].


The emergence of ResumeLooters highlights the threat posed by publicly available tools and underscores the need for organizations to implement multi-layered security measures to protect sensitive information. Companies are advised to use parameterized or prepared statements for SQL queries [4], implement comprehensive input validation and sanitization [4], and regularly perform security assessments and code reviews to safeguard against these types of attacks.

Group-IB researchers have identified ResumeLooters as the second group conducting SQLi attacks in the Asia-Pacific region [1]. The report emphasizes the importance of businesses implementing web application firewalls and input validation to defend against SQLi and XSS attacks [1]. It is crucial for organizations to stay vigilant and proactive in their security measures to mitigate the risks posed by cyber attackers.


[1] https://www.hackread.com/resumelooters-job-seekers-steals-millions-resumes/
[2] https://techcoffeehouse.com/2024/02/06/group-ib-uncovers-massive-cyber-attack-resumelooters-target-asia-pacific-job-search-and-retail-websites/
[3] https://www.darkreading.com/remote-workforce/-resumelooters-attackers-steal-millions-career-records
[4] https://www.helpnetsecurity.com/2024/02/06/resumelooters-target-job-search-sites-data-heist/
[5] https://www.techradar.com/pro/security/job-seekers-beware-hackers-are-exploiting-sql-flaws-to-steal-data-on-millions-of-victims
[6] https://cybersecuritynews.com/resumelooters-injection-attacks/
[7] https://www.infosecurity-magazine.com/news/resumelooters-gang-retail-job-site/