KnowBe4 was fooled by a North Korean scammer who managed to get through the company’s application process earlier this month. However, this is a comprehensive process that involves checking a candidate’s background and identity. The incident shows the dangers of AI in online application processes.
A cybercriminal managed to join KnowBe4 as a Principal Software Engineer. He went through the application process disguised under a stolen U.S. identity. The photo sent with the application turned out to have been further edited with AI.
After a successful application process, the new employee was sent a Mac. “As soon as the device was received, it immediately started loading malware,” writes KnowBe4 CEO Stu Sjouwerman in a blog. The criminal activity was immediately flagged by the security software and forwarded to KnowBe4’s InfoSec Security Operations Center. “The SOC called the new hire and asked if they could help. That’s when it got dodgy fast.” Within 30 minutes, the SOC shut down the new employee’s device. The team made that decision after the malicious party ignored a request to initiate a video call and shut down further communications.
AI enhances the scam
As a provider of security awareness training, KnowBe4 saw an opportunity to share the event and offer tips against such practices. For example, it recommends speaking to applicants in a video call to verify their identity.
From the whole story, the security trainer application process probably does not seem very fraud-proof. However, the reality is different: a total of four video interviews were set up to confirm that the person is actually the person in the photo. “Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used.”
After the event, KnowBe4 set up an investigation into the accident, which Mandiant led and was supported by the FBI. A check of the submitted photo showed that it was a stock photo modified by AI.
Deepfakes become difficult to recognize
The blog does not go into more detail about the video meetings. In it, the candidate’s identity was verified, but as it turned out, the person on the right of the photo does not exist at all. It is possible that the hackers used deepfakes to complete the online interview without falling through due to the mismatched appearance. However, this is only speculation.
What is certain is that the quality of deepfakes continues to improve. This trend ensures that the technology is also used against increasingly larger organizations and more important people. A recent example of this is the story of an executive of Ferrari NV. This person appeared to be receiving messages from Ferrari CEO Benedetto Vigna via a new WhatsApp account. He also had a phone conversation with the impersonator that appeared real through the use of deepfake technology that imitated the CEO’s voice and intonation.
One tip KnowBe4 gives for protection is to scan remote devices, as is checking for VPNs or VMs to log into corporate environments. Through monitoring, KnowBe4 was able to prevent a cyber incident. It caught itself off guard by checking the shipping address. That address was different from the new Principal Software Engineer’s work location. Such issues are a sign of things to come and could have prevented the scammer from being employed.
North Korea collects the money
In North Korea, such scammers appear to thrive under the regime. “The scam is that they actually do the work, get paid well and give a large amount of money to North Korea to fund their illegal programs,” writes KnowBe4 CEO Sjouwerman. There are several“IT mule laptop farms” in the country which are state-sponsored.
By using VPN technology, it is easy to make it appear that work is being done from America. The scammers bridge the different time zones by working at night when the workday begins in the United States. Financial motivation will be fueled enough to get through these working hours.
Mandiant is closely monitoring the threat from North Korea. Research by the cybersecurity firm has already uncovered that the country supports IT workers to get into high-ranking IT positions at Fortune 500 companies. Michael Barnhart, Principal Analyst at Mandiant, was already a guest on the podcast “The Defender’s Advantage Podcast” to discuss all the findings.
According to Barnhart, the incident at KnowBe4 is an exceptional story. Typically, North Koreans do not abuse the positions they gain in large companies to get pirated software into a company. “They do their job, get paid and remit this money to North Korea,” he said. The country then invests the money in its nuclear weapons program, for example.
Hard to detect
The incident at KnowBe4 shows that scammers are getting through application processes more easily by using AI. In addition, it draws attention to North Korea’s state-sponsored activities. In these, the goal is sometimes to attack important companies from within. Typically, the scam serves as a conduit to get money from prosperous countries into North Korea. That money then goes to the state as support for illegal activities. The story shows that it is very difficult to spot these profiles in a digital application.
Source: KnowBe4
