Skip to content
Share
Tweet
Share
0 Shares

The perils of outsourcing jobs to remote workers have gone to another level, with ongoing revelations about U.S. companies discovering that North Korean IT workers are using deepfake technology to create synthetic identities for online job interviews to secure remote work.

The issue has been out in the open since the U.S. government issued a warning in May 2022 about North Korean IT workers using VPNs, virtual private servers, purchased third-party IP addresses, proxy accounts, and stolen ID documents to pass themselves off as IT workers from other countries.

This identity manipulation is part of ongoing state-sponsored employment scams aimed at infiltrating US companies and other organisations globally to steal intellectual property and install malware with a view to future fraud and extortion attempts.

Nearly eighteen months later, an insight into the widespread nature of these scams was revealed when, in October 2023, the U.S Department of Justice (DOJ) released details of its seizures of 17 domains and some $1.7 million in revenues associated with one scam operation.

The websites appeared to be the domains of legitimate US-based IT services companies. However, the people behind it were North Korean IT workers with a China-based company called Yanbian Silverstar Network Technology Co. Ltd and another Russian company identified as Volasys Silver Star.

KnowBe4, a security awareness training company, discovered that a remote software engineer they had recently hired was a North Korean national using a stolen U.S. identity and an AI-enhanced photograph. Despite seemingly thorough hiring protocols including video interviews, background checks, and reference verifications, the deception was only uncovered after the new hire began loading malware onto company devices.

The sophisticated nature of the scam was evidenced by the hacker using a valid but stolen U.S. identity and an AI-enhanced photo derived from stock imagery to pass the company’s hiring protocols. The remote employee’s workstation was shipped to an address used as an “IT mule laptop farm” and accessed via VPN to simulate working U.S. business hours.

According to the FBI, other organisations, ranging from Fortune 500 companies to small businesses, have also made the same mistake.

Researchers at Palo Alto Networks’ Unit 42 reported in a recent blog post that it takes little more than an hour and no prior experience to create a real-time deepfake using readily available tools and inexpensive consumer hardware.

Using deepfakes as part of their methodology for securing remote IT worker jobs offers two key advantages for North Korean threat actors, according to Unit 42.

“First, it allows a single operator to interview for the same position multiple times using different synthetic personas,” author Evan Gordenker wrote in the post. “Second, it helps operatives avoid being identified and added to security bulletins and [criminal] wanted notices.”

A Unit 42 researcher with no image manipulation experience took only 70 minutes to create several deepfake identities by accessing single images from https://thispersonnotexist.org/ to create several deepfake identities and then altering the background and wardrobe each time to create a new candidate.

Rather than creating identities, the North Korean workers have now taken to either stealing the ones they want or deceiving people into handing them over for a purported good cause.

Adam Meyers, of the global cybersecurity company CrowdStrike, recommended a job interview question that he says causes North Korean deepfake actors to immediately discontinue the interview. Asking ‘How fat is Kim Jong Un?’ is unanswerable by North Koreans who fear saying anything negative about their country’s dictatorial leader, according to Myers.

Meyers explained to a conference audience recently that North Koreans will use generative AI to develop bulk batches of LinkedIn profiles and applications for remote work jobs that appeal to Western companies. During an interview, multiple people will work on the technical challenges that are part of the interview, while a front person handles the physical side of the interview.

Once placed in the remote role, these employees are usually very successful as they have a team of people working to produce high-quality output. The goal is to secure a quick promotion that provides greater access to their employer’s systems, explained FBI Special Agent Elizabeth Pelker at the same conference.

Even if the interloper is exposed and fired, they will usually have already collected login details, planted unactivated malware, and will then attempt to extort the maximum they can from the victim, according to Pelker.

The scammers are constantly attempting to stay ahead of the FBI. For example, to get around the IP address problem, laptop farms are springing up all over America. If an applicant gets a job, the firm will usually send him a laptop, at which point the new employee explains that they’ve moved or have a family emergency and request it be sent to a new address.

This is most likely a laptop farm, where someone in the US agrees to run the laptop from a legitimate address for a fee, typically around $200 a computer, according to Meyers.

The FBI has warned employers that the technology is only improving and will get more and more convincing.

The FBI and cybersecurity companies are urging employers to be hypervigilant for a deep fake candidates when hiring remote workers, recommending such steps as

  • paying for the candidate to attend an in-person interview, including (for relevant jobs) performing technical skill tests onsite
  • recording job application IP addresses to check that they aren’t from anonymising infrastructure or geographic regions that would raise suspicion.
  • checking candidates’ phone numbersto ensure they  aren’t from VoIP carriers that are commonly associated with identity concealment,
  • recording interviews so they can be analysed forensically afterwards
  • implementing a comprehensive identity verification workflow that includes document authenticity verification, ID verification, and matching the ID documents

How huge could this problem become, given the rapid advances in GenAI together with an employer’s understandable desire to hire reasonably priced remote talent to access important and hard-to-find skills unavailable in the local market?

Related blogs

Remote lives on (strongly) despite the obituaries high-profile firms want to write 

Remote work and the 4 day week are winning in the fight to hire and retain talent 

What recruiters lose in a remote-work future without an office

Share
Tweet
Share
0 Shares
Posted in Recruitment
0 0 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Scroll To Top
0
Would love your thoughts, please comment.x
()
x