Recent searches
Search options
US-based KnowBe4 thought they were hiring a Western software engineer. Turned out he was actually a North Korean hacker, using a valid but stolen identity and an AI-enhanced mugshot.
Kudos to KnowBe4 for talking about it, and a warning to others.
https://blog.knowbe4.com/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us
@gcluley I congratulate their cyber-security/IT team, but think their HR team perhaps needs quite a bit of training.
@rbairwell @gcluley What kind of training? It doesn’t sound like they didn’t do due diligence. It’s just a fact when hiring people: mistakes cannot be completely avoided. Not even if that person came in for an in-person interview.
@WPalant @gcluley From the article itself: "Background check appears inadequate. Names used were not consistent.
References potentially not properly vetted. Do not rely on email references only." I know they stole a US citizens id (so I'm guessing SSN+address matched), but I would expect a security company's HR dept to ask "locality based questions" ("what's the weather like there? how the local sports team doing ..what are they called again") etc
@rbairwell @gcluley Now imagine being at the other side of it, applying at a company that does this to you despite not having any reason to suspect you – as if the process wasn’t already stressful enough.
There is a lot of things one can do. But one still has ask whether it’s also reasonable to do it.
@gcluley Wow, How sad that this happen, but great by Knowbe4to be sharing this so others can learn.
@gcluley always nice to see companies open about these incidents
There have been similar reports and stories for a little while but wild to see it inside the security world
I'm sure it happens more than we know, just fascinating to see
This is the part I don't understand:
"Our HR team conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application."
...so, was there some kind of real time AI going on for the video conferences to make the person at the other end match the photo?
Wouldn't it have been easier to just send a real photo instead of an AI one? And why choose a stock photo to base it on?
@FediThing @gcluley I also don’t understand from the article how someone faked the video interview(s). And why would someone turn a stock photo into a fake photo? For the video interview? A little confusing…
@gcluley Honestly, if the standard of cyber security training is a target, it really goes to show everyone is. A.I. is opening new threat avenues.
Even if you regulate A.I., the genie is out of the bottle on crime using it and has been for a while now. This was a multi-prong attack that already succeeded at identity theft and leveraged that. It will be an excellent example to use in the next version of their training.
@gcluley Looks like the tricks to recognize an A.I. photo still work. The lenses of the glasses bothered me and zooming in on my phone, the lighting breaks down at the edges, like whole new eyes were popped into the lens slots.