Since 2022, the FBI and other agencies have been sounding the alarm about North Koreans posing as US or other non-North Korean based IT workers and infiltrating companies. In July, security firm KnowBe4 publicly revealed that they unknowingly hired a fake IT worker from North Korea. Fortunately they detected and blocked access as he attempted to load malware onto his system-connected laptop. Since then, similar stories have flooded in. Last week, reports surfaced that a fake North Korean IT worker hired by an unnamed company stole proprietary data and demanded a ransom payment in order to keep the hack secret.
However, the threat from interview fraud and fake employees goes far beyond the North Korean schemes. Moreover, large enterprises are not the only targets. At HYPR, we recently experienced an attempted fraud event, and thwarted it through our Identity Assurance platform. In support of bringing awareness to the market and other businesses, HYPR has elected to publicly report our experience and how we mitigated it.
After multiple rounds of live video interviews, HYPR decided to extend a contract to a European software engineer through a Technology Services contracting firm. This prospective new hire — let’s call him “John Doe” — was required to go through HYPR’s new joiner security processes. This is in addition to the background checks already performed during the candidate pre-hire screening. On October 17, HYPR began “John’s” day 1 onboarding and credentialing.
At HYPR, we use our HYPR Affirm solution to conduct multiple verifications and checks for new hires before issuing credentials. Verifications may include possession checks, biometrics, telemetry, document authentication, video verification and other identifiers. Affirm is configurable to the verification level required by an organization, based on its needs and the role of an individual they hire. Below is the flow we typically use at HYPR:
The new hire check threw up several red flags. Although John’s phone number was verified, a location check did not match the information he had provided.
John’s passport passed the document review, however the facial verification check indicated discrepancies between the passport photo and face scan. The liveness detection test also failed.
Alarm bells began chiming for the team, but the prospective employee claimed that he was having technical difficulties with the document uploading and verification part of the onboarding.
HYPR encouraged him to try the process again. A second attempt an hour later now showed a different location and a different browser language.
The final step was live video verification to confirm that this was indeed the same person we originally interviewed. At this point John dropped, and emailed that he could not turn on his video due to issues with his camera. We contacted our Technology Services provider to explain the warning signs we were seeing. The next day, John informed our provider that he had found a different opportunity and decided not to continue with onboarding at HYPR.
In the ordinary course of events, onboarding employees with Affirm is efficient and seamless. If red flags begin to manifest, however, the friction is increased to detect other risk indicators and prevent a fraudulent hire from proceeding.
Onboarding With HYPR Affirm
It is critical to note that at no point in the onboarding process was “John” issued credentials to access any HYPR systems. This is because HYPR uses multi-factor verification (MFV) to issue phishing-resistant MFA credentials. This ensures an account is always tied to a verified, real-world identity.
By contrast, in the KnowBe4 case, they shipped the fake IT worker a provisioned FIDO-enabled YubiKey so he could log into their network. This meant that the North Korean operative had at least limited access from the get go. He was caught and blocked only after he did something that was detectable by security monitoring tools. Had he been a highly sophisticated hacker, he may have been able to bypass some of those tools.
*** This is a Security Bloggers Network syndicated blog from HYPR Blog authored by Anton Gurov, CISO. Read the original post at: https://blog.hypr.com/hypr-unmasks-fake-it-worker