In July 2024, cybersecurity provider KnowBe4 announced that New employee begins manipulating and transferring potentially harmful filesattempted to run unauthorized software. Next, He turned out to be a North Korean worker who tricked the company’s human resources team into getting him a remote job.. In total, I managed to pass 4 interviews. Not just video conferencing background check And before hiring. ESET, a leading proactive threat detection company, warns that no organization is immune to the risk of inadvertently hiring saboteurs like this one.
“Identity-based threats are not limited to password theft and account takeover, but also extend to people joining society.As AI improves its ability to disguise reality; It’s time to improve your recruitment process” warns Camilo Gutiérrez Amaya, director of ESET’s Latin American Institute.
How many companies have been fooled by AI employees?
The threat has been around since at least April 2017, according to FBI search alerts. According to Microsoft, the US government has already discovered Over 300 companies Some companies on the Fortune 500 list were victims of this type of attack between 2020 and 2022. In June, the company was forced to suspend 3,000 Outlook and Hotmail accounts created by North Korean job seekers..
The ESET research team notes that the focus has recently shifted to Europe, including France, Poland and Ukraine. Meanwhile, Google has warned that British companies are also being watched.
How do you deceive a fraudulent employee?
Because this kind of deception is possible, Scammers create or steal identities that match position of the target organization Open fake accounts on email accounts, social media profiles, and developer platforms like GitHub to add legitimacy.
During the recruitment process, we may use deepfake images and videos, as well as face-swapping and voice-altering software, to disguise your identity or create a synthetic identity.
ESET researchers say the WageMole group is linked to another North Korean campaign they track as DeceptiveDevelopment. This focuses on Trick Western developers into applying for jobs that don’t exist. Scammers ask victims to participate in coding challenges or pre-interview tasks. However, the project you downloaded to participate actually contains Trojanized code. WageMole steals the identities of these developers for use in fake worker schemes.
The key to the fraud is the foreign intermediary.
- Create an account on a freelance website
- Open a bank account or lend your account to a North Korean worker
- Purchase a mobile phone number or SIM card
- Use background check services to verify fraudulent worker identities during employment verification
Once the fake workers are hired, these individuals receive a company notebook or cell phone and install it on a laptop farm located in the contracting company’s country. North Korean IT employees then use VPNs, proxy services, remote monitoring and management (RMM), and/or virtual private servers (VPS) to hide their true location.
“The consequences for defrauded organizations can be significant. Not only are they unwittingly paying workers in heavily sanctioned countries, but these same employees often gain privileged access to critical systems. An open invitation to steal data Confidential or even demand a ransom ” emphasizes ESET researchers.
How can I avoid falling into this deception?
From a detection and protection perspective, ESET warns how organizations can prevent themselves from becoming victims.
1- Identify fake employees during the recruitment process.
Check the candidate’s digital profilelook for similarities with others who may have stolen your identity, including social media and other online accounts. You can also create several fake profiles and apply for jobs under different names.
Please note. Differences between online activities and experiences It states: “Senior developers” with generic code repositories or newly created accounts should be alarmed.
Please make sure you have A legitimate and unique phone number; and make sure yours There are no contradictions in your resume. Please check if the company mentioned actually exists. Contact your references directly (phone/video call) and be especially careful with staffing agency employees.
Many applicants may be using altered audio, video, or images; Request video interviews and conduct them multiple times Currently hiring.
Consider the claim that the camera is malfunctioning during the interview an important red flag. Ask candidates to turn off background filters More likely to identify deepfakes (signals can include visual glitches, facial expressions that look stiff and unnatural, and lip movements out of sync with the audio) Questions based on location and culture For example, about where you “live” or “work”, such as local food or sports.
2- Monitor employees for potentially suspicious activity.
Be aware of warning signs such as: China phone number, RMM software instant download If you work on a newly delivered computer outside of normal business hours. If your device is authenticating from a Chinese or Russian IP address, this should also be investigated.
monitor employee behavior; system access patterns, Unusual logins, large file transfers, changes to work hours, etc. Focus on context, not just alerts: The difference between a bug and malicious activity can be the intent.
Detect unusual activity using insider threat tools.
3- Contain the threat:
If you believe you have identified a fake employee within your organization, be cautious and avoid raising any alarms at first.
Limit access to sensitive resources, review network activity, and limit this project to a small group of trusted people in computer security, human resources, and legal departments.
preserve the evidence Report the incident to law enforcement and seek legal advice for the company.
“Additionally, we recommend updating your cybersecurity training programs and making sure all employees, especially IT recruiters and HR staff, understand some of the red flags to look out for going forward: Threat Actor Tactics, Techniques, and Procedures (TTPs) is constantly evolving, so this advice should also be changed regularly. ESET.
About The Author
