Complex Impersonation Story

This is a story of one piece of what is probably a complex employment scam. Basically, real programmers are having their resumes copied and co-opted by scammers, who apply for jobs (or, I suppose, get recruited from various job sites), then hire other people with Western looks and language skills are to impersonate those first people on Zoom job interviews. Presumably, sometimes the scammers get hired and…I suppose…collect paychecks for a while until they get found out and fired. But that requires a bunch of banking fraud as well, so I don’t know.

EDITED TO ADD (10/11): Brian Krebs writes about fake LinkedIn profiles, which is probably another facet of this fraud system. Someone needs to unravel all of the threads.

Tags: , ,

Posted on October 10, 2022 at 6:09 AM21 Comments

Comments

Mike B October 10, 2022 6:40 AM

Perhaps the point of this project is not paychecks, but access to the systems of companies and agencies that handle sensitive information such as USA and NATO military personnel records. In that case, the intruders would care little about the payroll, and would focus on either gaining further credentials or implanting malware in the first days. Keeping the job for long would not be needed.

Clive Robinson October 10, 2022 8:29 AM

@ Bruce,

I mentioned that this sort of thing was happening with LinkedIn and CISO positions a few days ago.

It appears to be becoming a wide spread practice/scam why I don’t know but I assume there has to be an advantage in it.

Denton Scratch October 10, 2022 9:21 AM

I used to get mountains of spam from LinkedIn. I begged them to stop, but it went on for years. I won’t have anything to do with them. I have never bought anything from spammers, and I don’t care for social networks anyway.

Denton Scratch October 10, 2022 9:28 AM

I have to say, I don’t understand what the scam is.

The scammer appears to be contracting native English speakers to do interviews, so that “his own developers”, who are not native speakers, have a better chance at getting the contract. That seems vaguely OK, except for the bit about barefaced lying about who you are.

But how are you supposed to get the job, if you aren’t briefed on what the job is, or what the name of the company is? Like, most people prepare for an interview, to make sure they get the jargon right, and so that they can pretend to care about their prospective employer’s business. It must be a weird experience to interview someone that doesn’t know what the job is or who the employer is.

Faisal October 10, 2022 9:46 AM

Possibly related: the new hire who showed up is not the same person we interviewed

My husband works in IT and is on the leadership team at a midsized private company. He was part of a panel that recently interviewed a number of folks for an open position on his team. They are entirely remote. They had a few candidates for a first and second round, and had one make it to a third final round before an offer. “John” accepted the offer and started last week!

Except … it’s not the John my husband remembers. My husband was confused and said the following things were odd:

Rick October 10, 2022 11:59 AM

I completely agree with Mike B. I know it’s hyperbolic sounding, but this is a time to be on guard for any fifth column like activity.

barrotes October 10, 2022 3:22 PM

Funnily enough, my company’s help desk has been contacted few days ago by a competitor asking about me and telling that they I called them before. Of course I didn’t even know they existed, so after having read this article I’m starting to suspect that it might be a scam case, that the competitor was contacted by someone that “impersonated” me and they didn’t know how to recontact me so called my company (a poor decision in general), considering that I don’t have my contacts public anywhere.
Will update tomorrow, after contacting the competitor

Neel October 10, 2022 4:03 PM

Most of the CISOs in the US companies are unqualified anyway.

May be those scammers are better qualified than these CISOs and other IT executives who are hired just based on connections and nepotism.

barrotes October 10, 2022 4:58 PM

@Ted I read the second link about this “DPRK threat” and I find a bit odd how they start claiming the risk of national security threat (by stealing military information) which could effectively make sense, but then they warn about DPRK expats in Africa and China that could earn till 300k/year doing a legit work and “give all the money back to Kim Jong-Un regime” and citing jobs areas like “mobile gaming” and “graphic animation”? I mean, in what way can a graphic animation worker from DPRK pose as a security threat? Just… legitimately earning money working?

Not at Zon October 10, 2022 9:40 PM

I’ve worked at a large corporation where that had happened before, and was there when it happened again. New hire, let’s call him “Ram”, did fine on phone screen, very light Indian accent. Guy who came in had marginal English, did not know most of the skills needed and demonstrated in phone screen, struggled with the orientation/setup binder’s tasks. Within a week he’d been fired and some kind of criminal fraud proceedings were started.

Given his low clue levels, I’m pretty sure it was just a hiring scam, not a security attack. If you had someone competent, you could just get hired and sabotage from inside.

Ted October 10, 2022 9:42 PM

@barrotes

I find a bit odd how they start claiming the risk of national security threat (by stealing military information)

Could you point me to the page and paragraph in the Treasury document that says this? I don’t remember seeing this?

I mean, in what way can a graphic animation worker from DPRK pose as a security threat?

I think you may have already partly answered that question when you paraphrased: “give all the money back to Kim Jong-Un regime.” Did you have more thoughts about this?

Ross Anderson October 12, 2022 5:30 PM

Given the number of contract devs who get paid through service companies these days, if a firm hires ‘Bruce Schneier’ who demands to be paid through Counterpane Investments (Tallinn) Ltd., how can they object?

Clive Robinson October 13, 2022 1:25 AM

@ SpaceLifeForm,

Re : Can you or Bruce or anyone explain…

I can say that on the page in question the comments are numbered in the 46160 to 46245 range.

And the link @Bruce added has a number around two and a half times as great at, 121821.

I also know that when the blog software was changed there was a “clean up process” done in part by scripts.

Beyond that I have some guesses but not information to confirm them.

SpaceLifeForm October 13, 2022 3:42 AM

@ Bruce, Clive

re: broken link to comment

It is not only that the comment number 121821 is way out of range, but that the c character after the pound sign still exists.

As Bruce noted: EDITED TO ADD (10/25): Best blog comment ever.

So he saw it during the same day of the article he posted.

It was probably this one:

https://www.schneier.com/blog/archives/2006/10/bt_acquires_cou.html/#comment-46198

Bruce would remember, I would think.

How the link could get so mangled, well, not clear. The ‘omment-‘ is missing and the number is wrong. Clearly a conversion problem.

How ‘omment-46198’ gets converted to ‘121821’ takes work.

Clive Robinson October 13, 2022 9:01 AM

@ SpaceLifeForm,

Re : How the link could get so mangled, well, not clear.

I could guess but the simplest answer is some kind of buffer error.

If you think about the original links a script / prog would have to “walk the link” preferably backwards so the desired “comment” found was actually the last on the link.

Trouble is it’s a while back now and I can not remember the format of the original links.

Phillip October 18, 2022 11:23 PM

Unethical practices are basically in the open. For example, there is a lot of pressure to phony up one’s resume. Long ago, I lost a lot of anger over it. The IT industry is never innovative enough when there are so many issues in general.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.