Summary:
A group known as ‘Resume Looters’ has conducted SQL injection attacks on 65 legitimate job listing and retail websites, compromising the personal data of over two million job seekers, mainly in the APAC region, The group targeted sites in Australia, Taiwan, China, Thailand, India, and Vietnam to steal names, email addresses, phone numbers, employment history, education and other information .

To carry out these attacks, the threat group used tools like SQL map, Acunetix, Beef Framework, Metasploit, and others to exploit vulnerabilities within the targeted websites’ infrastructure. By leveraging these tools, the attackers were able to infiltrate the websites’ defenses and gain unauthorized access to their databases. Once inside, the attackers injected malicious scripts directly into the HTML code of the compromised websites. These scripts were strategically placed to execute upon visitor interaction, thereby enabling the harvesting of sensitive information through phishing forms. Additionally, the hackers employed advanced tactics such as creating fake employer profiles and posting fraudulent CV documents containing XSS scripts to further propagate attacks.

Security Officer Comments:
Despite the clandestine nature of their operations, the attackers made a critical OPSEC error allowing security researchers from Group IB to infiltrate the database hosting the stolen data. This breach provided the valuable insights into the attackers’ modus operandi and revealed that they had managed to establish administrator-level access on some of the compromised websites.

Suggested Corrections:

SQL Injection Prevention

• Use Parameterized Statements or Prepared Statements: Instead of concatenating user input directly into SQL queries, use parameterized statements or prepared statements provided by your programming language or framework. This helps to separate user input from SQL code.
• Input Validation: Validate and sanitize user inputs on both the client and server sides. Ensure that inputs adhere to expected formats and length constraints.
• Web Application Firewalls (WAF): Implement a WAF that can detect and block SQL injection attempts. WAFs can provide an additional layer of defense against various web application attacks.

Cross-Site Scripting (XSS) Prevention

• Input Validation and Sanitization:
  Validate and sanitize user input on both the client and server sides. Input validation ensures that user input adheres to expected formats, while sanitization helps to neutralize potentially harmful content.
• Escape User-Generated Content:
  Before rendering user-generated content, escape special characters to ensure that they are treated as literal text and not interpreted as code.

IOCs:
https://www.group-ib.com/blog/resumelooters/

Link(s):
https://www.bleepingcomputer.com/ne...ta-of-2-million-in-sql-injection-xss-attacks/

https://www.group-ib.com/blog/resumelooters/