BrianKrebsJul 23, 2024

Wild, true story from the security awareness and training company KnowBe4 that details how they inadvertently hired a North Korean hacker who was posing as a Western tech worker.

Kudos to them for publishing this. If it can happen to a security awareness company, it can happen to anyone (full disclosure: they've been an advertiser on my site for ages).

https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us

How a North Korean Fake IT Worker Tried to Infiltrate Us

How a North Korean Fake IT Worker Tried to Infiltrate Us

Show threadPete Wright
@briankrebs

This is pretty wild - how common are email-only reference checks? I’ve always done phone call or video call at a minimum, surprised a high profile security vendor would have such a porous background check process like this.
Jul 23, 2024 at 11:18pmWeb
Show threadBrianKrebsJul 23, 2024
@pete_wright IDK. My sense is a ton of companies hire a ton of remote employees all the time, probably many they have never met face to face.
Show threadPete WrightJul 23, 2024
@briankrebs

yea that's a good point, and i'm not trying to dunk on KB4 (I was a former customer of theirs). i've been at smaller shops for quite a while now so its easier to make sure new hire's have a decent amount of vetting than larger companies.

like you said, glad they posted this publicly as it certainly serves a good wakeup call for larger orgs.
Show threadfeldJul 23, 2024
@pete_wright @briankrebs I just had an email-only reference check for a friend a couple months ago. I was prepared for a phone call but they were happy enough to take my email response
Show threadBrianKrebsJul 23, 2024

@feld @pete_wright That's interesting. A lot of times, the only way you'll know something is off is by talking to them, ideally over video so you can match a name with a face and see how they react to different things. I remember a while back reporting on the hack of the FBI's Infragard portal, the feds vetted and approved a fake application in the name of a CEO of a credit rating agency. But they never called the number in the application, even though the fraudster had submitted the CEO's real mobile number in his application!

https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked – Krebs on Security

Show threadfeldJul 23, 2024
@briankrebs @pete_wright that sounds like a more nefarious version of when I am forced to provide my email to login to a "free WiFi" somewhere and I just use abuse@ their domain
Show threadPete WrightJul 23, 2024
@briankrebs @feld

oh i remember reading that article - it certainly upped my paranoid meter by a few degrees! :)
Show threadchebraJul 24, 2024

@briankrebs @feld @pete_wright

but here they say

> Our HR team conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application.

So the photo was modified to match the real person? And that person was actually doing the coding? Or are they using some high quality deepfake for every video call? Because that means more video calls would still not solve it...

Show threadfeldJul 24, 2024
@chebra @briankrebs @pete_wright That reminds me a couple years ago we were hiring contractors from Upwork and we caught a guy scamming -- when you setup a call with them you'd get a white dude in America who didn't know anything about the work being done because he was outsourcing the actual work to people in India