Recruitment red flags: Can you spot a spy posing as a job seeker?

Back in July 2024, cybersecurity vendor KnowBe4 began to observe suspicious activity linked to a new hire. The individual began manipulating and transferring potentially harmful files, and tried to execute unauthorized software. He was subsequently found out to be a North Korean worker who had tricked the firm’s HR team into gaining remote employment with the firm. In all, the individual managed to pass four video conference interviews as well as a background and pre-hiring check.

The incident underscores that no organization is immune from the risk of inadvertently hiring a saboteur. Identity-based threats aren’t limited to stolen passwords or account takeovers, but extend to the very people joining your workforce. As AI gets better at faking reality, it’s time to improve your hiring processes.

The scale of the challenge

You might be surprised at just how widespread this threat is. It’s been ongoing since at least April 2017, according to an FBI wanted poster. Tracked as WageMole by ESET Research, the activity overlaps with groups labelled UNC5267 and Jasper Sleet by other researchers. According to Microsoft, the US government has uncovered more than 300 companies, including some in the Fortune 500, that have been victimized in this way between 2020 and 2022 alone, The tech firm was forced in June to suspend 3,000 Outlook and Hotmail accounts created by North Korean jobseekers.

Separately, a US indictment charged two North Koreans and three “facilitators” with making over $860,000 from 10 of 60+ companies they worked at. But it’s not just a US problem. ESET researchers warned that the focus has recently shifted to Europe, including France, Poland and Ukraine. Meanwhile, Google has warned that UK companies are also being targeted.

How do they do it?

Thousands of North Korean workers may have found employment in this way. They create or steal identities matching the location of the targeted organization, and then open email accounts, social media profiles and fake accounts on developer platforms like GitHub to add legitimacy. During the hiring process, they may use deepfake images and video, or face swapping and voice changing software, to disguise their identity or create synthetic ones.

According to ESET researchers, the WageMole group is linked to another North Korean campaign it tracks as DeceptiveDevelopment. This is focused on tricking Western developers into applying for non-existent jobs. The scammers request that their victims participate in a coding challenge or pre-interview task. But the project they download to take part actually contains trojanized code. WageMole steals these developer identities to use in its fake worker schemes.

The key to the scam lies with the foreign facilitators. First, they help to:

• create accounts on freelance job websites
• create bank accounts, or lend the North Korean worker their own
• buy mobile numbers of SIM cards
• validate the worker’s fraudulent identity during employment verification, using background check services

Once the fake worker has been hired, these individuals take delivery of the corporate laptop and set it up in a laptop farm located in the hiring firm’s country. The North Korean IT worker then uses VPNs, proxy services, remote monitoring and management (RMM) and/or virtual private servers (VPS) to hide their true location.

The impact on duped organizations could be massive. Not only are they unwittingly paying workers from a heavily sanctioned country, but these same employees often get privileged access to critical systems. That’s an open invitation to steal sensitive data or even hold the company to ransom.

 

How to spot – and stop – them

Unknowingly funding a pariah state’s nuclear ambitions is almost as bad as it gets in terms of reputational damage, not to mention the financial exposure to breach risk that compromise entails. So how can your organization avoid becoming the next victim?

1. Identify fake workers during the hiring process

• Check the candidate’s digital profile, including social media and other accounts online, for similarities with other individuals whose identity they may have stolen. They may also set up several fake profiles to apply for jobs under different names.
• Look out for mismatches between online activities and claimed experience: A “senior developer” with generic code repositories or recently created accounts should raise red flags.
• Ensure they have a legitimate, unique phone number, and check their resume for any inconsistencies. Verify that the listed companies actually exist. Contact references directly (phone/video call), and pay special attention to any employees of staffing companies.
• As many applicants may use deepfake audio, video and images, insist on video interviews and perform them multiple times during recruitment.
• During the interviews, consider any claims of a malfunctioning camera to be a major warning. Ask the candidate to turn off background filters to have a better shot at identifying deepfakes. (The giveaways could include visual glitches, facial expressions that feel stiff and unnatural and lip movements that don’t sync with the audio.) Ask them location- and culture-based questions about where they “live” or “work” concerning, for example, local foods or sports.

2. Monitor employees for potentially suspicious activity

• Be alert to red flags such as Chinese phone numbers, immediate downloading of RMM software to a newly-issued laptop, and work performed outside of normal office hours. If the laptop authenticates from Chinese or Russian IP addresses, this should also be investigated.
• Keep tabs on employee behavior and system access patterns such as unusual logins, large file transfers, or changes in working hours. Focus on context, not just alerts: the difference between a mistake and malicious activity could lie in intent.
• Use insider threat tools to monitor for anomalous activity.

3. Contain the threat

• If you think you have identified a North Korean worker in your organization, tread carefully at first to avoid tipping them off.
• Limit their access to sensitive resources, and review their network activity, keeping this project to a small group of trusted insiders from IT security, HR and legal.
• Preserve evidence and report the incident to law enforcement, while seeking legal advice for the company.

When the dust has settled, it’s also a good idea to update your cybersecurity awareness training programs. And ensure that all employees, especially IT hiring managers and HR staff, understand some of the red flags to watch out for in future. Threat actor tactics, techniques and procedures (TTPs) are evolving all the time, so this advice will also need to change periodically.

The best approaches to stop fake candidates becoming malicious insiders combine human know-how and technical controls. Make sure you cover all bases.