You have a fake North Korean IT worker problem – here’s how to stop it
By now, the North Korean fake IT worker problem is so ubiquitous that if you think you don’t have any phony resumes or imposters in your interview queue, you’re asleep at the wheel.
“Almost every CISO of a Fortune 500 company that I’ve spoken to — I’ll just characterize as dozens that I’ve spoken to — have admitted that they had a North Korean IT worker problem,” said Mandiant Consulting CTO Charles Carmakal during a threat-intel roundtable, admitting that even Mandiant’s parent company Google is not immune.
“We have seen this in our own pipelines,” added Iain Mulholland, Google Cloud’s senior director of security engineering.
“We’ve certainly seen applicants that fit into this category with various IOCs [indicators of compromise] that we’ve shared with partners and peers,” Snowflake CISO Brad Jones told The Register.
These types of scams, largely originating from North Korea, or at least funneling money back to Pyongyang, have cost American businesses at least $88 million over six years, the Department of Justice said last year.
In some cases, the fraudsters use their insider access to steal proprietary source code and other sensitive data, and then extort their employers with threats to leak corporate data if not paid a ransom demand.
As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly targeting European employers, too.
Nearly all executives who spoke to The Register in recent months have seen a flood of these types of applicants applying for open positions, most of them in engineering and software development, and all of them remote work.
In some instances, the scammers even used deepfake videos in attempts to get hired, including at a security company that uses AI to find vulnerabilities in code. “If they almost fooled me, a cybersecurity expert, they definitely fooled some people,” Vidoc Security Lab co-founder Dawid Moczadło told us in an earlier interview.
“We believe, at this point, every Fortune 100 and potentially Fortune 500 have a pretty high number of risky employees on their books,” Socure Chief Growth Officer Rivka Little told us.
Using a fake identity…to apply for an identity job
Over the past few months, Socure has seen a ton of fake candidates applying for open jobs, according to Little, who has been leading the charge on the IT worker scam front. This seems an especially ironic choice for employment scammers, because Socure provides identity verification services to other companies.
For a senior engineering role, Socure used to receive between 150 and 200 applications over three or four months. That number has recently jumped to more than 1,999 purported job seekers in a two-month period. At least some of those extra applicants have weirdly suspicious profiles.
“We were in our executive meeting one Monday morning, and our chief people officer said, ‘We’re getting these super-strange resumes. They don’t seem to be connected to people who are valid. This feels like a fake identity,'” Little said. “There were just too many disconnects.”
Chief among these disconnects were “shallow” LinkedIn profiles paired with “beefy resumes,” she explained, citing job-seeker claims of working at Meta, attending Ivy League schools, developing major tech companies’ flagship products … but then only having 25 LinkedIn connections.
Once the recruitment team began meeting via video conferences with some of the applicants, they noted extremely Western-sounding names, like James Anderson, paired with East Asian appearances and accented English, in much higher numbers than they expected.
He was affable, a nice guy. He was making jokes. There was nothing about him that would make me not want to work with him
“You can’t profile people, so with the first few we were like, that’s interesting. But then when it was 10, 20, 30 — this is implausible at that rate and number, demographically,” Little said. “We decided to follow through on a couple of candidates to really suss out what is going on here, and also to allow us to capture consent, because you can’t really dig into someone’s identity background unless you have consent to do so.”
In all of these cases, Little’s team noted a number of oddities: new-ish email addresses, phone numbers that didn’t match claimed geographic locations, routing everything through a VPN, and educational backgrounds that didn’t check out.
Little said she fed a handful of job applicant questions into ChatGPT and saved the chatbot’s responses for reference during the interview.
“If his answers are anywhere close to these, then we’ll also know there’s a problem, and that’s exactly what happened,” she said. “It was insane.”
The fraudster’s answers weren’t word-for-word ChatGPT, Little noted. “These people are smart, they’re not unskilled, they’re sophisticated,” she said. “But what he said versus what came from ChatGPT was clearly related.”
Making it even more confusing, Little genuinely liked the candidate. “He was affable, a nice guy,” she said. “He was making jokes. There was nothing about him that would make me not want to work with him.”
Spotting the patterns
Little has an interesting background in that she previously led an anti-fraud program at a bank, and also the human resources department at Socure. But, as she notes, few HR or hiring managers are also trained in cybersecurity and identity management — their job is to assess talent, not identify potential security risks.
“It’s not uncommon that an HR leader wouldn’t be exposed to a CTO or a CISO or a head of fraud, and so they may be experiencing this pattern and not necessarily knowing what to do with it,” Little said. “We’re a pretty small company, and so every single function in our world is together all the time. But if you’re at Pepsi, is that happening? Probably not.”
Therein lies another part of the problem, according to Netskope CISO James Robinson, who told The Register his cloud security firm has also received fraudulent worker applications. “I think every CISO is struggling with: Is it a CISO problem? Or is it an organizational and, really, earlier on, an HR problem? And how to do that partnership with HR?”
“Security people are very aware of how to do investigations,” Robinson continued. “But we’re not necessarily aware of what you can and can’t ask during an interview.”
Once Netskope began receiving resumes that seemed to use stolen or fake identities with an extra-AI polish boost, Robinson set up a briefing with the local FBI and included not only security but also HR and legal in the meeting. “And we started working on a plan that we can use during the screening phase,” he said.
The team also shared this plan with outside recruitment agencies to help them verify that an applicant was who they purported to be.
“The recruiters started to identify profiles that were being created off of someone else’s profile — the company is different, but the name is similar to someone else’s name, the job experience is the same,” Robinson said.
As a company that provides services for remote workers, Netskope also wants to support its own remote workforce, which presents its own set of struggles when trying to verify employees.
“We require people to come to the office to pick up their computer,” Robinson said as an example. The firm’s hiring team also reached out to their peers to discuss best practices to avoid becoming a North Korean IT worker scam victim. This included requiring in-person onboarding, double- and even triple-checking addresses before shipping work computers, and only shipping them to registered home addresses.
“Also, funny enough, it’s not just catching something that is happening late-stage, but also catching something that is causing the applicant to just pass on the job,” he added. “The fraudulent applicants will usually say, ‘I can’t do that.’ They just pass.”
This was Socure’s experience, too. After stringing one suspected scammer along throughout the interview process, Little told the fake IT worker, “‘We’re going to do a document verification with you. So the next time we meet, please be ready, it’s very simple, we’ll send you a bar code, and you can do it from your device.’ He never showed up.”
And, yes, AI can help — not only the bad guys, but also the organizations doing the hiring, according to Jones.
“The Snowflake security team partners with peer organizations, security threat intelligence vendors, and government agencies to curate an aggregated IOC data set that is integrated into the resourcing tools used by our recruiting tools,” he said.
These IOCs, or indicators of compromise, include email addresses, physical addresses, and phone numbers that have been flagged as associated with non-legitimate candidates.
It’s also important to train what Jones calls the “human firewall,” the people reviewing and interviewing candidates, to look for warning signs, too.
“Initially, this could include a resume that looks too good to be true, like having experience in every technology or hot product on the market,” Jones explained. “During screening, there are other indicators, such as large delays when answering questions — such as someone or something doing translation and research — confusing products or technologies, as well as environmental signs such as being in a call center.”
The final step is always an in-person interview. “Any excuses for why they would not be able to facilitate this is another red flag,” he said. “Given our collaboration with peers, third-parties, and government agencies, we believe no nefarious candidates have progressed beyond our first interaction with our human firewall.”
However, criminals are a wily, adaptive bunch. Once one gang notices a certain technique or tactic is successfully raking in money for a rival gang (think: ransomware), they are likely to adopt a similar illicit business strategy.
“Yes, it’s connected to North Korea, but is it going to stay that way? Definitely not,” Little said. “It will come from all kinds of bad actors. Any organized crime ring will figure out that this is a way in, and will start to hit it.” ®
READ MORE HERE