North Korean hackers specializing in fake jobs go to great lengths to make their scams look authentic.
Do you have any idea who you are hiring?
Recent investigations have revealed that North Korean cybercriminals are using false identities to secure jobs at software development companies, both in Asia and the West. According to a study by Nisos, at least four fake profiles have been detected impersonating software developers, blockchain experts, and IT professionals, with the goal of generating income to finance Pyongyang's weapons programs.
To create these fraudulent identities, attackers are leveraging mature GitHub accounts and reusing content from the portfolios of former individuals. This strategy allows them to back up their new identities, making it easier to obtain employment at companies with fewer than 50 employees.
Although these profiles have accounts on job sites and personal information pages, they lack social media presence, which is a red flag. Additionally, the profile pictures appear to have been altered, sometimes showing different faces overlaid on stock images to simulate teamwork.
A common feature among these profiles is the use of similar email addresses that include numbers and the word "dev." While it is complicated to definitively establish their connection, Nisos has pointed out several indications that suggest a link to the North Korean regime, including tactics and techniques attributable to labor fraud actors associated with the country.
Historically, the entity known as Lazarus, which operates as a state-sponsored group from North Korea, has sought positions in software development. Once hired, they gain access to the internal infrastructure of companies, allowing them to steal sensitive information or even money. Lazarus has also been involved in creating fake companies and positions to recruit software developers at major IT firms, implanting malware during the hiring process with the same intent of accessing the IT infrastructure of employers. This group frequently targets businesses related to blockchain and has conducted some of the largest cryptocurrency thefts in history.