CyberWire Daily - Fake job ads and how to spot them. [Research Saturday]
Episode Date: August 13, 2022Ashley Taylor from SANS.edu, joins Dave to discuss fake job ads and methods to proactively detect these scams. The research shares how job seekers are under attack, with scammers posing as fake job r...ecruiters to steal information from people who are interested in the job posting. The brands being impersonated as are at risk of losing credibility to their brand identity. The research shares exactly how these doppelgängers are posing a threat to job seekers and the best practices to detect these scams. It also shares how one company that works in medical device manufacturing industry has been a target for these scams. It concludes with sharing some of the ways to proactively spot these scams before they happen. The research can be found here: Doppelgängers: Finding Job Scammers Who Steal Brand Identities Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts, tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So we at work receive a notice from a victim of one of these scams asking our HR department a few details about a job offer.
And our HR department, unfortunately, had to inform them that the job didn't exist.
That's Ashley Taylor.
The research we're discussing today is titled Doppelgangers, Finding Job Scammers Who Steal Brand Identities.
It's been published as part of Ashley Taylor's work as Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI to Thank you. The victim thought that they were going to be starting the job.
They had already signed all of their paperwork.
They had gone through interviews, everything to think that this job was legitimate.
everything to think that this job was legitimate, but it was just scammers impersonating the company and stealing all their information. Wow. You know, we're going to dig into all the details here,
but before we do, I have to ask, for someone to have gone that far down the path, what do you
suppose the scammers were actually looking to get out of them? So far, we've talked to multiple victims, and most of the time, it's at least personally
identifiable information.
They go as far as having them fill out their I-9 information to get set up as employees.
They also have done things like send them checks or ask them to go to fake websites to, quote, purchase the equipment that they would be reimbursed for later.
And when they go to those fake websites, they hand over their credit card information as well.
All right. Well, let's back up a little bit and actually dig into the stuff that you and your colleagues are tracking here.
We're talking about hiring frauds.
Can you take us through step by step what exactly are the bad folks doing?
Sure.
What they're doing is they were able to get the information about one of our recruiters. They got his email information, pictures on LinkedIn as he
needs to have out there because he's a recruiter. And they then set up fake profiles under his
accounts and would put out fake job advertisements on ZipRecruiter, which we didn't use, and LinkedIn, which we use, but was a
separate profile that we weren't keeping track of.
So they would create these fake job scams and people would reach out to them and they
would set up the interviews on RingCentral, very common, take them through a whole interview
process, and then at the end, say,
you're hired. Now give us all your information. Wow. Well, part of what you outline here in your
report are ways that organizations can try to mitigate this sort of thing. Can we dig into that?
I mean, you know, you mentioned that these things were set up on LinkedIn, which was a platform that you were all on.
But still, you know, how do you keep track of all of LinkedIn?
Can we go through some of the methods, the tools that are available?
Sure. Fortunately, I started off trying to get information from LinkedIn.
But as you can imagine, they're not very open with people just searching
for open job requirements. So we really started looking at how the attackers are setting these up
and we found out that they are registering typosquat or similar domains to our company
and using that to email victims to send them their paperwork that they need to fill
out. And as we were looking at that, we realized we had purchased a product called Recorded Future
that would let us know any time a typosquat or a similar domain was registered on our behalf.
a typosquat or a similar domain was registered on our behalf.
After we started digging into it, we saw even more clues,
such as they would register a certificate,
they would set up an email server on these domains,
and the domains were always something like career-ourcompany.com or very similar to that.
company.com or very similar to that. So after looking at it, we were able to find these indicators that then allowed us to create some additional alerting.
And it's worth mentioning Recorded Future is an organization. They sell a threat intelligence
platform among other things. So that was a way for you to get some
insights here. And there are plenty of other companies who do this sort of thing, but this
is the one that you all happen to already be engaged with. Yes, there are a few open source
out there I didn't dig into, such as SearchStream. We'll let you know anytime a certificate is
registered on websites you're monitoring. And with DNS Twist,
you can look for typosquat websites. So there's definitely some future growth in making this more
of an open source solution. But what we had available was Recorded Future. So it's what
we went with. And so once you engage with this and you're using this tool, how does that work into your internal workflow?
So with Recorded Future, we were able to get the alerts, but for a while we were doing them manually.
And that took time. minutes to look up the sites, look at all the indicators, figure out what was happening and decide to block them or to notify our HR and recruiting teams that yet another domain had
been set up. So we ended up utilizing our SOAR platform, which happened to be Rapid7's SOAR
platform, Insight Connect. And we were able to use the Recorded Future API to grab those alerts down
and then start processing them with our short platform. And it would look at things like,
has a certificate been registered? If not, it wouldn't continue with the workflow because
there's not a lot we can do to get those websites taken down. But the minute that a certificate is registered,
then it would continue in the workflow. And it goes through a series of steps that allows us to
take a lot of that manual work we were doing and just automate it and present us with an executive
summary that we could really easily just scan through and decide to block those type of
squat similar domains, then notify our recruiting teams and HR teams about the websites if we
felt we needed to.
Sometimes we would also, if it's a register that can take down those domains, we would
request those. So we went from it taking
days, weeks, months until we were properly notified and to get those domains offline
to the latest one took us 15 minutes. Wow. So putting together some handy automation
for yourselves to make life easier, you know, anytime you unleash automation on the world,
there's an opportunity for things to go dreadfully wrong.
So there was testing involved here.
I mean, how did you go and make sure that before you,
you know, you kick this into gear
that you weren't going to accidentally do something
you didn't want to do?
Luckily, we were able to use Icon, Insight Connect,
which allows you to rerun jobs that's already processed.
That helped us a lot in testing.
But our final test was I went to a register
and I registered a domain that should get caught in the workflow.
I set up an email server on it and gave it a certificate.
And luckily, it was caught pretty instantaneous, which proved the workflow.
And now I'm the proud owner of a nice internal stimulated phishing domain.
So you got that going for you.
Yes. Well, so what are your recommendations then
for organizations who want to get on top of this? I mean, it strikes me that part of the challenge
here is knowing that you have a problem. Right. So the first step in that is really looking at the type of type of squat domains that are being registered
for your company. If you get a lot of the type of squat domains that are careers-yourcompany.com
or jobs-yourcompany.com, it's probably worth identifying on all your recruiting websites and your LinkedIn profiles exactly where people need
to go to get job information. We ended up actually putting a warning after this was becoming a
problem because we had multiple victims that basically said any emails coming from these
domains are not legitimate. It doesn't totally solve the problem, but hopefully people
are doing a little bit of research about the companies that they're applying for. And since
we put those warnings on our website, it's significantly dropped the rate in people
reporting this type of attack. They're still registering domains, but hopefully victims are not falling for it
anymore. Yeah, I mean, that's an interesting side of all this as well, is that independent of
anything that you all are doing, there are victims out here who are suffering the consequences of
this. Right. And the FBI even just recently posted another article warning victims about these job scams of people impersonating legitimate companies and warning people about the scams. to the news, it's hard to know. So this solution was just something that our company could do to
try and get ahead of it and educate people before they fell victim because it's heartbreaking to
tell people who think they have a job, maybe have left their job or getting ready to move or
whatever they need to do to start a new job and then be told the job never existed in the first place and you got scammed out of your money and your identity is probably now stolen.
You know, I think an interesting aspect of this is this whole notion of being proactive or reactive.
And it sounds to me like, you know, the tools that you all put into place here, this is really going out and being proactive about looking for this stuff before it happens.
Right. That's part of where I was promoted in. posture management, which is really that proactive side of security, the training, the vulnerability
management, coming up with solutions like this with automation, just to try and detect things
earlier in the cycle so that our incident response and SOC teams can focus on what they do,
which is less of the reactive stuff, but a lot more of that
threat hunting and intelligence. Do you feel like the organization is in a good place now that you
have an effective system up and running? Oh, absolutely. We've been able to use this workflow
to create additional workflows. And we've also expanded on it since this paper
to now we bring in screenshots of the websites
to make it even easier to look at
the type of information that's getting here.
It's greatly reduced the amount of time it takes
for our SOC team to analyze these types of detections.
And it's freed us up to look at more creative solutions
elsewhere that we could use our SOAR platform for.
That's Ashley Taylor. The research is titled Doppelgangers, Finding Job Scammers Who Steal Brand Identities.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. The Cyber Wire podcast is proudly produced in Maryland out of the startup
studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.