How to detect fake job applicants: corporate espionage with malicious informants

In July 2024, cybersecurity provider KnowBe4 began observing suspicious activity related to a new employee who started manipulating and transferring potentially harmful files and attempted to run unauthorized software. It was later discovered that he was a North Korean worker who had deceived the company’s human resources team to obtain a remote job. In total, he managed to pass four video conference interviews, as well as a pre-employment background check.

ESET, a leading company in proactive threat detection, analyzes and delves into this scam and warns that no organization is immune to the risk of inadvertently hiring a saboteur.

“Identity-based threats are not limited to password theft or account takeover, but extend to new hires. As AI becomes more adept at falsifying reality, it becomes essential to refine and optimize hiring processes” warns Camilo Gutiérrez Amaya, Head of the ESET Latin America Research Lab.

This type of threat has been present since at least April 2017, according to an FBI alert and tracked as WageMole by ESET Research. According to Microsoft, the US government has discovered more than 300 companies—some of them Fortune 500—that have fallen victim to these types of attacks between 2020 and 2022. The tech giant was forced in June to suspend 3,000 Outlook and Hotmail accounts created by North Korean job applicants.

Furthermore, a US indictment accuses two North Koreans and three “facilitators” of obtaining more than $860,000 from 10 of the more than 60 companies where they worked. ESET’s research team warns that the focus has recently shifted to Europe, including France, Poland, and Ukraine. Google, for its part, has warned that British companies are also being targeted.

Identity theft scams

These scams are possible because fraudsters create or steal identities that match the location of the target organization and then open email accounts, social media profiles, and fake accounts on developer platforms like GitHub to add legitimacy. During the hiring process, they may use deepfake images and videos, or face-swapping and voice-changing software, to disguise their identity or create synthetic ones.

According to ESET researchers, the WageMole group is linked to another North Korean campaign they track as DeceptiveDevelopment. This campaign focuses on tricking Western developers into applying for nonexistent jobs. The scammers ask their victims to participate in a coding challenge or a pre-interview task. But the project they download to participate actually contains Trojanized code. WageMole steals these developer identities to use in their fake employee schemes.

The key to the scam lies with the foreign facilitators

• Creating accounts on freelance websites
• Opening bank accounts, or lending the North Korean worker their own
• Purchasing mobile phone numbers or SIM cards
• Validating the worker’s fraudulent identity during the employment verification process, using background check services. Once the fake worker is hired, these individuals receive the company laptop and install it on a laptop farm located in the hiring company’s country. The North Korean IT worker then uses VPNs, proxy services, remote monitoring and management (RMM), and/or virtual private servers (VPS) to conceal their true location.

“The impact on deceived organizations could be enormous. Not only are they unwittingly paying workers from a heavily sanctioned country, but these same employees often gain privileged access to critical systems. It’s an open invitation to steal confidential data or even demand a ransom from the company” emphasizes the ESET researcher.

In terms of detection and protection, ESET explains how to prevent an organization from becoming a victim

1. Identify fake employees during the hiring process:

• Check the candidate’s digital profile, including social media and other online accounts, for similarities with other people whose identities they may have stolen. They may also create multiple fake profiles to apply for jobs under different names.

• Pay attention to discrepancies between online activity and declared experience: a “senior developer” with generic code repositories or recently created accounts should raise red flags.
• Ensure they have a legitimate and unique phone number, and check that their resume is consistent. Verify that the companies mentioned actually exist. Contact references directly (phone/video call) and pay close attention to employees of staffing agencies.

Since many applicants may use fabricated audio, video, and images, insist on video interviews and conduct them multiple times during the hiring process.

During interviews, consider any claim that the camera is malfunctioning a major red flag. Ask the candidate to turn off background filters to increase the chances of identifying deepfakes (signs might include visual glitches, facial expressions that appear stiff and unnatural, and lip movements that are not synchronized with the audio). Ask questions based on the location and culture of where they “live” or “work,” for example, about local food or sports.

2. Monitor employees for potentially suspicious activity:

• Be on the lookout for red flags such as Chinese phone numbers, the immediate download of RMM software on a newly issued laptop, and work performed outside of normal office hours. If the laptop authenticates from Chinese or Russian IP addresses, this should also be investigated.
• Monitor employee behavior and system access patterns, such as unusual logins, large file transfers, or changes in work schedules. Focus on the context, not just the alerts: the difference between a mistake and malicious activity can lie in the intent.
• Use insider threat detection tools to identify anomalous activity.

3. Contain the threat:

• If a North Korean worker is believed to have been identified within the organization, proceed cautiously at first to avoid alerting them.
• Restrict their access to sensitive resources and review their network activity, limiting this task to a small group of trusted individuals from the IT security, human resources, and legal departments.

Preserve evidence and report the incident to law enforcement, while also seeking legal counsel for the company. “Furthermore, it’s a good idea to update cybersecurity training programs. And ensure that all employees, especially IT recruiters and HR staff, understand some of the warning signs to watch out for in the future. Threat actors’ tactics, techniques, and procedures (TTPs) are constantly evolving, so this advice will also need to be updated periodically. The best methods for preventing fake candidates from becoming malicious informants combine human expertise and technical controls. Make sure you cover all the bases,” suggests Gutiérrez Amaya of ESET.

ESET invites you to learn more about cybersecurity by visiting: https://www.welivesecurity.com/es/.

For other useful preventative information, also available in Venezuela: https://www.eset.com/ve/, and on their social media channels @eset_ve. Also on Instagram (@esetla) and Facebook (ESET).

With information and reference image provided by ESET and Comstat Rowland

Visit our news channel on Google News and follow us to get accurate, interesting information and stay up to date with everything. You can also see our daily content on X/Twitter and Instagram