In July 2024, cybersecurity provider KnowBe4 began noticing suspicious activity related to A new employee who starts processing and transferring potentially malicious filesAnd trying to run unauthorized programs. Accordingly, He turned out to be a North Korean worker who tricked the company’s HR team into getting a remote job.. In total, He managed to pass four interviews Via video, in addition Background check And before hiring. ESET, the leader in proactive threat detection, warns that no organization is immune to the risks of unwittingly employing a saboteur like the one in this case.
“Identity-based threats are not limited to password theft or account takeover, but extend to people joining the workforce. As AI gets better at falsifying reality, it is becoming more It’s time to improve your hiring processeswarns Camilo Gutierrez Amaya, head of the ESET Research Laboratory in Latin America.
How many companies have been scammed by AI employees
This threat has been around since at least April 2017, according to an FBI search alert. According to Microsoft, the US government has already discovered it More than 300 companies -Some of whom are included in the Fortune 500 list- fell victim to this type of attack, between 2020 and 2022. In June, the technology company was forced to suspend 3,000 Outlook and Hotmail accounts created by North Korean job seekers..
The ESET research team notes that the focus has recently shifted to Europe, including France, Poland and Ukraine. For its part, Google warned that British companies were also in the spotlight.
How employees are deceived
This type of deception is possible since Fraudsters create or steal identities Which Match site to the target organization and then Open email accounts, social media profiles, and fake accounts on developer platforms like GitHub to add legitimacy.
During the recruitment process, they may use fake photos and videos, or face-swapping and voice-changing software, to hide their identity or create synthetic identities.
According to ESET researchers, the WageMole group is linked to another North Korean campaign tracking it called DeceptiveDevelopment. This focuses on Tricking Western developers into applying for jobs that don’t exist. Scammers ask their victims to participate in a coding challenge or pre-interview task. But the project they downloaded to share actually contains Trojan code. WageMole steals these developer identities to use in fake worker schemes.
The key to the fraud lies in foreign facilitators:
- Create accounts on freelance sites
- Creating bank accounts, or lending the North Korean worker his own account
- Purchase mobile phone numbers, or SIM cards
- Validate a worker’s fraudulent identity during employment verification, using background check services
Once the fake worker is hired, these individuals receive the company’s laptop or mobile phone and install it at a laptop farm located in the contracting company’s country. The North Korean IT worker then uses VPNs, proxy services, remote monitoring and management (RMM), and/or virtual private servers (VPS) to hide his true location.
“The impact on deceived organizations can be enormous. Not only are they paying wages to workers from a heavily sanctioned country, but those same employees often have privileged access to critical systems. An open invitation to data theft Confidentiality or Until he demanded a ransom For the company,” highlights an ESET researcher.
How to avoid falling for this scam
Regarding detection and protection, ESET warns on how to prevent an organization from becoming a victim:
1- Identifying fake workers during the recruitment process:
Verify the candidate’s digital fileincluding social media and other online accounts, looking for similarities to other people whose identity they may have stolen. They can also create multiple fake profiles to apply for jobs under different names.
heed Discrepancies between online activities and experiences Male: A “senior developer” with public code repositories or newly created accounts should set off alarm bells.
Make sure you have it A legitimate and unique phone number, And check your own The CV does not present contradictions. Verify that the companies mentioned actually exist. Contact references directly (phone/video call) and pay special attention to staff of hiring companies.
Since many applicants may use fake audio, video, and image files, Insist on video interviews and conduct them several times During recruitment.
During interviews, consider any claim that the camera is faulty as a red flag. Ask the filter to turn off background filters For a better chance of spotting a deepfake (signs can include visual glitches, facial expressions that look harsh and unnatural, and lip movements that don’t sync with the sound) ask them Questions based on location and culture About where they “live” or “work”, for example, about local food or sports.
2- Monitoring employees for suspicious activities:
Pay attention to warning signs such as Chinese phone numbers, instant RMM software download On a newly delivered computer and getting the work done outside normal business hours. If the device is authenticated from Chinese or Russian IP addresses, this should be checked as well.
Monitoring employee behavior and system access patterns, Such as unusual logins, large file transfers, or changes in business hours. Focus on context, not just alerts: The difference between a bug and malicious activity can be in intent.
Use insider threat tools to detect anomalous activity.
3- Containing the threat:
If you think you have identified a fake worker in the organization, act carefully at first so as not to alert him.
Restrict your access to sensitive resources and review your network activity, limiting this project to a small group of trusted people from the Computer Security, Human Resources, and Legal departments.
Preserve evidence And report the incident to law enforcement authorities, while seeking the company’s legal advice.
“In addition, it’s a good idea to update your cybersecurity training programs. Make sure all employees, especially IT recruiters and HR staff, understand some red flags to watch out for in the future. Threat actors’ tactics, techniques, and procedures (TTPs) are constantly evolving, so this advice will also need to change periodically. The best ways to prevent fake candidates from becoming malicious informants combine human knowledge with technical controls. Make sure you cover all bases.” Gutierrez Amaya suggests ESET.
About The Author
