Recruiters are in a constant struggle to find matches for their job openings. Be it via classic job ads online, or via DM on platforms like LinkedIn.
We have recently discovered a report by several users on Reddit who says that they have been contacted by a recruiter and given a task to create a work sample. This practice is not uncommon, though it has been claimed in the past that some companies use this tactic to take advantage of applicants and get production work done for free. But on the whole, companies want to see that you are capable of doing what your resume says. This case, however, was interesting. From the fact that you are reading this post on the blog of a company that fights malware, you can probably guess where this is going. But let’s not get ahead of ourselves.
Shady Repository, weird warnings
Reddit user huggesh_nair reported that he was given access to a private repository on Github, where they were to download application data for the assignment. The installation failed, and subsequently the system asked permission to install a Python package (Python is a scripting language that is commonly used by developers to automate and facilitate certain tasks). Not recalling any reason why this should be happening, the user grew wary and turned to Reddit for advice. They were told that this seemed extremely suspicious, and that the best course of action was probably to reset the system. This was not bad advice, because it turns out that this assignment came with a little extra.
Most prominently, there are a few heavily obfuscated scripts among the downloaded data from the repository. These, as it turns out, steal data from a variety of browsers. Session Tokens, stored password and crypto wallets are what those malicious scripts are after.
A Familiar Tactic
This tactic sounds familiar – stealing this type of data is pretty common and we have seen cases that involved DMs on social media platforms before. And those types of attacks cost victims not only their accounts, but potentially a whole lot of money. In the case of these fake job adverts / work samples or “technical tests”, as they are sometimes called, the job “applicant” (using inverted commas here because they technically did not apply for a job actively, but were contacted by a supposed “recruiter”) is expected to submit a CV. Again, common practice for any hiring process, and therefore not immediately suspicious. But in this case, a legitimate CV, where we can assume that the information is correct, complete and up to date, is being sent to a criminal organization. You can use your own imagination to think about what criminals can do with such information. One scenario that springs to mind is creating fake job applications for positions that involve remote work. This is something that has also happened before – North Korean actors have been known to successfully infiltrate companies, posing as real applicants doing real work. And while some fake applications are easily spotted, AI technologies are being actively used to create very convincing fakes that even hold up to scrutiny during a video call.
Who did it?
As to who is behind these attacks – there is one theory going that North-Korean based group Lazarus is behind this. That would make sense as this group has been known for siphoning off data from computers and draining bank accounts and cryptrowallets in order to fill the coffers of the North Korean regime. It has been estimated by Chainalysis that North Korea has raked in over 1 billion USB from the theft of cryptocurrency alone.
How to protect yourself from criminals posing as recruiters
So if you are currently open for a new job, and get contacted by someone who claims to be looking for someone with your qualifications, there are a few things to look out for:
Make sure there is another way of contacting them, either by mail or by phone.
No legitimate recruiter should decline you contacting them on a different channel.When being given the task of providing a work sample or taking a “technical test”, look out for the source of the data that you are being provided with.
A Github repo with a somewhat random username that is in no way connected with the company that you are supposedly working for, is a huge red flag.
Check the website of the company the person contacting you claims to be working for. If you cannot find an opening there that matches your skill profile (or even no openings at all), this might warrant some caution.
Pay close attention to email domains. Make sure that if you are given an email address, that it matches the website of the company. Pay particularly close attention to things like character substitutions, such as l and I (lower case “L” as in Lima vs capital “I”, as in India)
