Spotting Fake Hires: North Korean IT Worker Scams

Fake job seekers have become a serious insider threat. In a 2024 case, a North Korean worker passed four video interviews and background checks at a cybersecurity firm, then began manipulating files and attempting to run unauthorized software. As AI makes impersonation easier, hiring must be treated like a security-controlled process.

The threat at a glance

• Active since at least 2017 and tracked as WageMole (overlapping with UNC5267 and Jasper Sleet)
• More than 300 victim companies between 2020 and 2022, including Fortune 500 firms, according to Microsoft
• Microsoft suspended 3,000 Outlook and Hotmail accounts tied to North Korean job seekers
• A US indictment alleges $860,000 earned from 10 of 60+ infiltrated companies
• Targeting is expanding beyond the US to Europe (France, Poland, Ukraine) and the UK

How the scam works

• Identity fabrication: Attackers create or steal identities that match the target’s location, then build email, social, and developer profiles (including GitHub) to appear legitimate.
• Deepfakes and voice alteration: Face swaps, voice changers, and synthetic images or videos help mask true identities.
• Developer bait-and-switch: The DeceptiveDevelopment campaign lures developers with fake job postings and coding challenges that include trojanized projects. Stolen developer identities are later reused to secure real roles.
• Foreign facilitators: Middlemen enable the operation by setting up freelance platform accounts, opening or lending bank accounts, obtaining phone numbers/SIMs, and helping pass background checks.
• Laptop farms and location cloaking: Corporate devices are shipped to local “laptop farms,” while workers hide their location using VPNs, proxies, RMM tools, and VPS infrastructure.

Why it matters

• Sanctions risk: Companies may unknowingly pay sanctioned actors, with legal and financial fallout.
• Elevated access: Fake hires can gain privileged access, steal sensitive data, plant backdoors, or facilitate ransomware.
• Reputational damage: Public exposure of funding or enabling a sanctioned regime can be severe.

How to detect fake candidates during hiring

• Scrutinize digital footprints: Look for cloned or overlapping profiles, multiple aliases, and inconsistencies across platforms.
• Validate experience: Be wary of “senior” candidates with sparse or generic GitHub repos or recently created accounts.
• Verify contact and history: Require a unique, verifiable phone number. Cross-check resumes, confirm that listed employers exist, and call references directly via phone or video (especially staffing agency contacts).
• Insist on live video multiple times: Treat camera “malfunctions” as a major red flag. Ask to disable background filters and watch for deepfake artifacts (unnatural expressions, lip-sync glitches).
• Test local knowledge: Ask questions about the claimed location, such as regional norms, foods, sports, or commute details.

How to monitor for suspicious behavior post-hire

• Watch for early anomalies: Immediate installation of RMM tools on a new laptop, Chinese phone numbers, or sign-ins from Chinese or Russian IPs.
• Track behavior and access patterns: Sudden changes in working hours, unusual logins, large data transfers, or rapid privilege escalations.
• Use insider risk tooling: Employ user and entity behavior analytics to distinguish mistakes from malicious intent.

How to respond and contain risk

• Move quietly at first: Avoid tipping off the suspect. Limit access and segment accounts while you investigate.
• Keep the circle tight: Involve a small, trusted team from security, HR, and legal. Preserve evidence and engage law enforcement.
• Strengthen the program: Update awareness training for HR and hiring managers. Refresh controls as attacker TTPs evolve.

Bottom line
Stopping fake candidates requires both human judgment and technical controls. Apply security rigor to recruitment, onboarding, and monitoring to prevent malicious insiders from slipping through.

Source: WeLiveSecurity