Fake North Korean IT worker scams are evolving to include theft and extortion as more examples emerge of targeting tech and other companies.
The deception often involves North Korean workers masquerading as legitimate IT professionals in attempts to gain employment at Western firms, almost always in positions that offer remote work options.
Once hired, these “remote workers” use their insider access to spy on the company’s infrastructure and steal sensitive information while collecting wages that are sent back to the North Korean government.
Doing IT
In one recent case, a candidate that the defense company Exabeam was considering for an open position demonstrated sufficient technical knowledge to pass an initial interview with human resources personnel. Even in this first interview, employers mark the answers from the candidate “as written.” Soon, during discussions with department heads, the wheels would start to fall off.
The online interview for the senior governance, risk, and compliance analyst position with Jodi Maas, who leads the GRC team, and Exabeam CISO Kevin Kirkwood was “weird” from the start.
“His eyes weren’t moving, his lips weren’t in sync, and his voice was mechanical,” Kirkwood told CSO. “It was like something out of a 1970s Japanese Godzilla movie.”
Kirkwood and his colleagues quickly concluded that they were interviewing a candidate using immersive video technology. The delay in the answers, and the nature of the answers, suggested that the candidate was trying to use voice translation technology to answer the questions.
“This was easy to spot, but technology will improve and we’ll get more serious deepfakes in the future,” Kirkwood warned.
Created using deep learning AI, deep images, video, and audio are viewed by cybercriminals as a new, powerful tool that can be used in social engineering and extortion campaigns. According to a recent study from Deloitte, cybercriminals have already targeted more than a quarter of all companies, focusing on financial information.
After the interviews, Maas and Kirkwood worked with their HR colleagues to revamp Exabeam’s hiring process to introduce even stronger safeguards, including insisting on video interviews for remote job applicants, and more employee training.
Potential employers are urged to verify the identity of people and documents, and be wary of suspicious activity during video calls. During the onboarding process newly hired companies should be especially wary of unauthorized use of remote access and VPN tools.
More than 300 businesses are believed to have fallen victim to an IT scam involving fake workers estimated to have netted the North Korean government millions. In August, EDR vendor CrowdStrike released a report on how one North Korean group infiltrated more than 100 companies through impersonation campaigns.
The DPRK [North Korean] IT workers can earn more than $300,000 a year in some cases, and groups of IT workers can earn more than $3 million a year, the US State Department, the US Treasury, and the FBI warned in a joint advisory in May 2022.
Security awareness vendor KnowBe4 hired a North Korean IT employee who tried unsuccessfully to breach its network. KnowBe4 went public with its information in a blog post that provides a detailed look at how the scam works.
More background on the fake IT staffing scam – and tips on how to spot it – can be found in CSO’s August 2024 feature “How not to hire a North Korean IT spy.”
Robbery enters the mix
There’s a new twist on the North Korean IT worker scam. Criminals have added identity theft-based crimes to their playbook.
Cybersecurity incident response company Secureworks reports a case where a contractor leaked proprietary information to an unnamed company almost immediately after employment began in mid-2024.
Poor performance meant that the employee was fired after four months but a few days later the company received a series of emails, including zip archive files containing evidence of intellectual property, and fraudulent demands to pay a sum of six in cryptocurrency to avoid publication. of sensitive information stolen.
It is not yet clear whether the victim complied with this demand of extortion.
Secureworks reports that it has investigated several similar incidents involving North Korean IT personnel seeking to commit fraud after “gaining access to the inside, a tactic not seen in previous programs.”
North Korea has targeted companies in North America, Europe, and Australia as part of an ongoing and evolving scam, prompting warnings from the UK government and others.
Source link