Darknet Diaries - 133: I'm the Real Connor
Episode Date: May 2, 2023One day Connor Tumbleson got an email saying his identity has been stolen. And this was one of the strangest days he’s ever had.SponsorsSupport for this show comes from Quorum Cyber. Their ...mantra is: “We help good people win.” If you’re looking for a partner to help you reduce risk and defend against the threats that are targeting your business — and especially if you are interested in Microsoft Security — reach out to Qurotum Cyber at quorumcyber.com.Skiff is a collaboration platform built for privacy from the ground up. Every document, note, and idea you write is end-to-end encrypted and completely private. Only you and your trusted collaborators can see what you’ve created. Try it out at https://skiff.com.Support for this show comes from AttackIQ. AttackIQ’s security optimization platform emulates the adversary with realism to test your security program, generating real-time performance data to improve your security posture. They also offer free training. Head to attackiq.com to get a closer look at how AttackIQ can help you today.Sourceshttps://connortumbleson.com/https://krebsonsecurity.com/2022/10/glut-of-fake-linkedin-profiles-pits-hr-against-the-bots/Snippet from Darknet Diaries ep 119 about North Korean’s getting tech jobs to steal bitcoin https://www.youtube.com/watch?v=v1ik6bAwELAAttributionAssembled by Tristan Ledger.Sound design by Garrett Tiedemann.Episode artwork by odibagas.Mixing by Proximity Sound.Theme music created by Breakmaster Cylinder.
Transcript
Discussion (0)
I remember this one time I really botched a job interview.
I was young, in my early 20s, and I applied to do surveillance at a casino.
You know, the eye in the sky, watch 20 monitor screens at once
and try to find someone cheating or stealing things in the casino
and then call the security guards on them.
Well, I got an interview with the head of casino security
and things were going well.
We hit it off, and he liked my resume.
But then he asked me one last question.
If you saw me stealing in the casino, would you turn me in?
Now, I was dumbfounded by this question.
What is this, some kind of ethics test?
I mean, he's the head of security.
If I saw him stealing, who would I even report it to?
I was baffled on how to answer this.
But I wanted this job bad.
And so I did a whole bunch of mental gymnastics
to try to read his face and see what answer he wanted.
I mean, the first thing that popped into my mind
was that quote from the
Godfather. Here, listen. You're my older brother, and I love you, but don't ever take sides with
anyone against the family again. Don't take sides against the family? Who do you think started the
whole casino business? It was mobsters. So what did this head of security cherish more, family or the law? It's an impossible thing to answer. I felt as if I was
on the poker table going head to head with him, trying to read what cards he was holding. And my
job was what was on the line. Well, I blurted out, of course I wouldn't turn you in. You're my boss.
And with that, he stood up and said, thanks for coming in, but we're
looking for someone else. Good luck. And he reached out to shake my hand. I quickly realized my mistake.
Taking the family side was the wrong answer. It's the definition of corruption. Even if he wanted
me to always protect the family, this was just too soon of a test to ask me something like that. I wasn't part of the
family yet. Siding with him was taking sides against the casino itself. And if he was actually
corrupt, he wouldn't show his cards like that so early in the first interview with someone.
So I reversed my position. I shouted, no, no, no, I would definitely turn you in. The casino is who
I work for, not you. He smiled and shook his head and walked me to the door and said,
Better luck next time, kid.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete.me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless and it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from
hundreds of data brokers' websites and continuously works to keep it off. Data brokers hate them
because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they
immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things. It was great to have someone on my team when it comes
to my privacy. Take control of your data and keep your private life private by signing up for
Delete Me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete
Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off
is to go to join delete me dot com slash darknet diaries and enter code darknet at checkout. That's
join delete me dot com slash darknet diaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. call. I'm sure they can help. But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud, breaching the cloud,
digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
So let's start out with who you are. What do you do?
Yeah, so I'm Connor Tumbleson. I'm just kind of an engineer here in Tampa, kind of really gone up the steps over the years.
I think I'm our director of engineering now, so I kind of just really do a lot of tech stuff.
The main thing to know about Connor is he spent years in the tech industry.
He's a great programmer, which has led him to become a director of engineering.
And he's content in his current role.
He's definitely not job-seeking.
However, his resume is pretty nice.
And he's got a whole list of skills under his belt.
And he has a great GitHub.
GitHub is a place where people go to share programming code they made.
And Connor has wrote a lot of code.
So Connor has published a lot of this code to GitHub for other people to see.
If you go there, you can see what code he's been writing since 2011.
In fact, he's posted new code 51,000 times over the last 12 years.
And what's interesting about GitHub is you can go back through those years
and see every line of code that he shared and what date he shared it.
Okay, September 14th, 2022, you get an email.
Yeah, I mean, it's crazy.
I'm sitting at lunch, you know, and your phone goes off,
and I get just one of those weird subject titles
that I think is just an easily deletable one.
I think it word for word was something like,
Connor, your identity is stolen.
It does have a spammy taste to it, doesn't it?
I think I've probably gotten spam like this before.
You know, click here to see if my identity is stolen. And I was just like, yeah, this is probably spam
because it came from kind of an address I didn't recognize. It looked like a bunch of kind of
foreign characters I didn't recognize. And I was like, oh yeah, this is, this is a delete.
But then before I deleted, I saw it in an attachment. I was like, okay, I'm on my phone.
This is a, I, probably an easy preview,
especially since it was kind of a suspect email.
But, you know, thankfully I could just preview it,
and I previewed it, and it was like my resume,
but it wasn't.
And I was like, this is really odd.
The email was from a guy named Andrew.
And Andrew is also a programmer,
but he's just starting out in college and has only posted a little bit to GitHub.
Andrew said someone found him and messaged him on GitHub and offered him a job.
But when Andrew asked more questions about the job,
he was told he had to act like Connor to get the job.
I kind of just quickly ate my lunch, you know, and kind of ran back to my computer
and just jumped on to view it, you know, in Gmail. And at that point, when I expanded it for real, I saw it was way more than like my resume.
It was like an introduction of me from like a, I was really rough reading it from very first
inspection. Cause it was like someone trying to pretend they were me because not only was the email just clearly wrong,
but the address was like an address that was for sale on Zillow kind of right around where I live.
Then it was my resume.
Then it was like information about a company.
And then it was information of like a fake cover letter I wrote.
And at this point, I'm thinking, holy cow, what is going on here?
Because now I think this is actually legitimate.
Because there's someone that's put a great deal of effort into taking a lot of my true, you know, like earned achievements, whatever, school, everything.
But then mixed it with a bunch of things that are lies.
Which I think, funny enough, boosted my resume in a way.
But, yeah, they weren't true.
It was just a mixture of lies and truth in a huge document.
Okay, wow.
They took Connor's real resume but changed just a few things like the email address, physical address, and a few other accomplishments.
But all this sounds really spooky.
I mean, to get an email from someone explaining all this? The person sending the email could be trying to help,
or they could be trying to scam Connor
into paying them to scrub this information off
of some website or something.
What was the real intention of this Andrew guy
who emailed him?
Yeah, so it was weird.
He was telling me that there was this guy, Maris,
and it's just a guy that was hiring him
to be an engineer.
And I was like, okay, what does that have to do with me?
And then he says, like, you know, in the next sentence in the email, he's like, it turns out I was supposed to pretend to be you.
And I didn't feel comfortable with it and sent me the doc.
So I read that.
I read the doc.
And I'm still thinking, this is weird.
Because as you just mentioned, like, I'm getting suspicious that the guy just wants me to sign into something, buy something.
So I just sent a quick response and I said, so to get this right, you were hired at a company and then paid to pretend to be me for an interview.
And he responds and goes, yeah, I'm about to go to class, but here's a few log snippets of just a Slack channel. It seems like this guy Andrew is responding to questions Connor has, but is equally as
confused as Connor is about this.
I mean, imagine someone messages you on GitHub, offers you some paid work, and when you say,
yeah, that sounds great, then they ask you to pretend to be someone else.
So Andrew was sending more information over to Connor, screenshots of Slack chat that
he had with this Marist person.
And at this point, I'm actually just getting attached to this because in the screenshot he sends me, he's talking about the interview that's supposed to be in like a few hours time
that I'm looking at of me that he is like, you know, no longer attending.
And this is crazy because I'm also talking to a coworker next to me at this
point. Like, should I join this interview? What is going on? Like, I feel like someone is pretending
to be me in an interview later today. And that is kind of crazy to think about. Oh, right. This is
an online video interview and it's all set up where the company is expecting Connor to join
and be interviewed. And it was in a few hours.
This just gets wilder and wilder.
Connor starts wondering if he should join the interview.
And just to see what's going on,
at the least he can inform this other company that they shouldn't hire him
because he's not actually applying for the job.
And that's going to be awkward to explain to them for sure.
All the while, Connor is trying to figure out why they took his resume to copy. What was it about Connor that made his resume special?
Yeah, and I think that's what really kind of really sketched me out or
made me feel a bit uneasy. Because at the end of the day, I thought, why not just make some
AI generator random document if you're trying to go out there and get jobs?
Connor still feels like he needs more details from Andrew.
Something just isn't adding up still.
I'm trying to actually email him a lot.
I'm saying like, hey, I need more info here.
I dug deeper into this and it's more creepy than I thought.
And I was like, hey, what more can you give me?
Can you give me all your email communications?
Can you tell me more?
And he was like, sorry, I'm going to class.
And I was like, oh.
So the person that's helping me through this is, like, no longer available.
How did Andrew get involved in this?
He mentioned that he kind of just got cold emailed, like, just a random email, presumably from his GitHub,
where someone reached out and said they were looking for a partner to join him and needed a bit of development experience.
And this was a guy that was kind of a fresh developer right out of school that was looking for a kind of place to work.
And it seemed like a great chance.
So I think he continued moving forward with his employment.
As they said, they needed a good English-speaking engineer.
And he fit all those boxes.
Andrew ends up joining this company.
They get invited to a Slack channel.
And the same day he joins a Slack channel, roughly a few hours later, he ends up getting just a bunch of messages.
Now, when Andrew joined this Slack chat, he was greeted by someone just named PND.
This PND person, his acronym, ends up posting to Andrew and says, hey, you're going to pretend to be this person.
And it's a link to that document that he ends up linking or kind of sharing to me. And that's when Andrew realizes, I don't really want
to be part of this because Connor looks like a kind of English speaking engineer. Why am I
pretending to be him? And Maris, I mean, Maris or the PND, we don't really know who this person is,
says, yeah, Connor's not our engineer.
Is that going to be a problem for you?
And he says, yeah, that violates his ethical kind of behavior.
And Andrew just ends up leaving and taking a bunch of information with him.
So I'm thinking to Andrew, this guy's amazing.
Just leaked a bunch of information to me from this whole thing.
And I guess lost a job in the process.
Probably not the best job, but for someone looking for work, I guess a job was a job.
Hmm. I wonder how big of a decision this was for Andrew.
A college kid looking for work, finding a job that pays,
but having to turn it down because it violates his ethics.
I bet there are quite a lot of college kids
that would be up for it, you know?
And I wonder if this is a tactic
that this Marist person or PND person
targets college kids
because they need the experience and work
and are more willing to take non-ethical jobs?
I don't know.
Anyway, for Connor to get an email like this,
it absolutely derailed his ability
to concentrate on anything at work that day.
I mean, he had to go to an interview that he did not set up.
And how do you even prepare for something like that?
Actually, it doesn't matter, since there just wasn't much time to prepare for it anyway.
Yep, exactly.
So I think I opened it around noon, and the interview was at 4 or 4.30.
So it was a pretty quick turnaround on all this. Andrew sent Connor all the information to join the interview was at 4, 4.30. So it was a pretty quick turnaround on all this.
Andrew sent Connor all the information to join the interview.
And it, of course, had the Zoom link and the time and the company and the meeting.
And I was like, oh, this is crazy. I'm going to use this for sure. So then I join it,
but I actually joined the interview about five minutes before it starts.
And I'm just kind of sitting in a Zoom channel, you know, it's the Zoom waiting room. I can't really talk to anyone yet. I'm stuck there. And my fear is I'm
sitting in this meeting and someone isn't enjoying before me, like another person. And then I'm stuck
in kind of a debate. But thankfully, the interviewer, he shows up early and adds me. And we both jump on video, kind of sitting in the same spot I am now.
And I say, hey, before we jump into interviews, you're not going to believe anything I'm going to tell you, so I'm going to go really quick.
And I just proceed to tell this guy, and I think I just spew it out as quick as I can, of saying, like, I didn't apply for this job, but I am indeed the person that you have all the documentation for.
And he starts getting really confused here, trying to not follow what's going on.
I think at first he thinks I'm pranking him.
And I'm trying to explain, no, this is legitimate.
I'm the real Connor, but I did not apply for this job.
And he starts like joking with me.
Well, your resume is really good.
We were hoping this was a real interview. And while we're talking, I'm trying to explain what happened from my perspective,
that I got an email. I'm asking him, can you share from your perspective who applied for the job?
And while we're talking about this, because he lets me know that it was on Upwork that my fake
self applied for the job. Then he tells me that there's another Connor Tumbleson
in the waiting room.
And at this point, I'm kind of freaking out a bit
because now another fake Connor has decided to join the call
and he's trapped in the meeting room.
And this interview guy, he goes,
hey, why don't you change your name,
turn off your camera and just sit in this call?
And I was like, holy cow, that is amazing. It was your idea. I love it. I want to sit here and figure out what's going on. So I changed my name, you know, I turn off my Zoom
camera and I'm sitting in the call when he admits another Connor Tumbleson. And this is where the
story goes even crazier. As I then sit in a call and listen to a guy with kind of this accent that I can't place.
I think I can safely say it's probably not American, but I don't know where.
And this guy then proceeds to say that he's Connor Tumbleson.
And not only that, he starts reading off all my accomplishes.
Even says his GitHub address, which is odd because I haven't changed my alias online alias in like 20 years.
So I bought peaches everywhere as me. So to hear someone say that, it was just extremely upsetting.
And I'm just sitting in this call, listening to this guy proceed to just list things. I can tell
he's reading the sheet word for word that I'm looking at. Man, I can't even imagine being in
this scenario, listening in on an
interview with someone else pretending to be you, trying to get this job. What? All the time fake
Connor is speaking, the real Connor is muted, listening. How does he respond to all this? How
would you respond to this situation? If I were him, I'd be freaking out, wondering if I'm being
pranked and wanting to know who this guy is that's pretending to be me.
And who put him up to this?
Yep, definitely that.
And I'm talking to some coworkers at the same time during this because we're just all sitting around because they're all at this point involved in the story.
And I couldn't stay on mute any longer.
It was just really, really rough.
I thought I could sit there and just listen to information.
But I turned my camera on and kind
of just started talking. And I said, hey, I'm the real Connor Tumbleson. So who are you? And I didn't
get, I think, more than five, 10 words out of my mouth. And he just dropped the call, which was
pretty sad because I really wanted to figure out, like, if we could have just a candid conversation
of why this was happening. But he left the call immediately.
What was going through your mind after that interview?
Just the fact that another Connor joined the call, a fake me, I was so confused because I
was under the impression initially that this guy I was talking to, Andrew, had ended up joining the
call and going forward with this. And I was like, why would he do that? He just leaked it all to me.
I couldn't really figure out in my head how there was actually someone joining the call. So this P&D person set up this
interview and asked Andrew to join it and pretend to be Connor. Andrew said no for ethical reasons,
but then someone else pretending to be Connor did join the call. Who was that person?
Yep, exactly. So at that point, I'm kind of talking to the interviewer again,
because the other Connors left the call. And I was like, hey, do you mind just sending me
everything you have? And I was like asking for who applied, how did he apply, etc. And this guy goes,
yeah, sure. Can I have your email address? And I was like, hey, just take the email they gave you
and take the two off the end of it. Because like, it was such an embarrassingly
copied email. It was just my email with a number two at the end. So sure enough, this company,
they then email me and it's just screenshots of Upwork. And this is where I got way more creeped
out, is it was a fake Upwork of me. And once again, it was a highly detailed resume's accomplishments.
They even had like a random Laravel certification I got from a few years ago.
And I didn't even put that up anywhere except in a tweet.
So I was like, this is a crazy amount of detail that someone went to to make a real truthful, but also exaggerated in a lot of regards, Upwork account of me.
Stay with us. There's more after the break.
This episode is sponsored by Shopify.
The new year is a great time to ask yourself, what if?
When I was thinking, what if I start a podcast?
My focus was on finding a catchy name, some cool stories, and working out the best way
to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off, because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand, open for business, and get your first sale.
Get your store online easily with thousands of customizable drag and drop templates.
And Shopify helps you manage
your growing business. Shipping, taxes, and payments are all visible from one dashboard,
allowing you to focus on the important stuff. So what happens if you don't act now and someone
beats you to the idea? The best time to start your new business is now with Shopify. Your first sale
is closer than you think. Established in 2025. That has a nice ring to it, doesn't it? Sign up for your $1 per month trial
period at shopify.com slash darknet. Go to shopify.com slash darknet and start selling
with Shopify today. Shopify.com slash darknet. Okay, so let's recap.
Someone made an Upwork profile using Connor's resume and information,
and they were using that fake profile to apply for real jobs,
then getting someone else to act like Connor for the job.
Then that person would sit in an interview and pretend to be Connor.
Yeah, so Upwork is a place that freelancers can go to look for jobs.
Anything from design to IT or legal professionals, freelancers will make an account saying what
skills they have and that they're available to work on these projects. And either someone
messages the freelancer about a job or a job gets posted on Upwork and freelancers can apply for it.
Someone made an Upwork account using Connor's details,
some real, some fake, and applied for jobs,
saying, look how great my profile is, I want to come work for you.
Yeah, and I think I honestly had never really used Upwork
or only slightly heard of it myself at the time.
So I was also Googling, what is this thing?
And yeah, just as you described, it seemed like it was just an ad hoc applying to a job as an individual using my fake information.
So at this point, now that I have screenshots of my fake Upwork account, including my real photo,
that was like a recent work photo. I was like, okay, this is getting really crazy now.
And I kind of thanked the interviewer for really letting me sit on the call. I said, thanks for this info.
And took all that info and then wrote another kind of large email to Andrew where I kind of honestly asked him, was that you on the call?
Because I really had no idea what was going on at this point because I couldn't really figure out how a third Connor joined the call.
And Andrew, after he gets back from class, actually responds and he gives me a ton of information.
He not only sends me every email that he, you know, went back and forth with this Marist person to like establish this fake employment.
But he also sends me screenshots of all these Slack channels where he only joined that day as, you know, part of joining this kind of paid work.
So now I basically have Upwork screenshots, Slack screenshots, and email screenshots.
And as Connor looked through the information Andrew sent over,
he realized that some of the people communicating to Andrew also seem to be impersonators.
Like Maris, for instance, was a real person with a nice GitHub and stuff,
but it was probably not the real Maris who was messaging Andrew.
It's like a never-ending circle of just bouncing between fake emails.
And that's where it just gets crazy.
I'm trying to follow this weirdness of I can't trust anything.
Everyone's fake.
The person Andrew is talking to is not even Maris
because Maris is just another impersonated individual.
So I'm just really losing track of who's real or not.
A lot of these trails seem to come back to the person in the Slack chat app
calling themselves PND.
PND is who told Andrew to impersonate Connor for the job.
And he's also telling everybody what to do in this chat room.
PND might also be Maris.
I don't know.
But it seems that PND has a website called PND Design, which offers coding and web design services.
And this gives Connor a new thread to pull on.
PND, I find their website because they just explained it in their Slack channel.
PND Design.
I just start, you know, doing basic things, trying to figure out other websites P&D Design built. I'm just trying
to figure out who owns P&D Design. I end up finding the person who owns it. I call them once
or twice. No one ever picks up. I email them. No one ever responds. I don't know what to do. I just
wanted to talk to someone who was associated with P&D design.
And they just never respond to any of my reaching out. I don't remember if I put in the blog post,
but I called a lot of the numbers that were in the document that Andrew got from P&D.
And those numbers were like these American embassies in foreign countries. I was like,
this is crazy. I was like, I didn't even mean to call these numbers. And here I am thinking it's some official number for a business.
And I'm calling embassies.
It was just, it was strange.
Giving a fake phone number.
I love it.
It reminds me of this scene from the classic movie, The Blues Brothers.
Those cops took your license away.
They got your name, your address.
No, they don't got my address.
I falsified my renewal.
Put down 1060 West Addison.
1060 West Addison?
It's Jiggly Field.
A good criminal will always throw people off
with what looks like real information
but is actually something bogus.
Yeah, and I think at the same time,
I'm like trying to behind all the websites
that P&D Design built,
and they have this weird obsession about disabling right click. Like, it seems like such an old technique to stop your
right click. And I'm just like finding all these sites. And I think they're in the hundreds of just
all these sites, disable right click, they have the same Google Analytics ID. And they have this
weird footer where it's like, hey, we created it, P&D design. But guess what?
Our CEOs by CEO crunches and our ITs by IT tech fixes.
And the design was via visible dev.
And all these companies are P&D, basically.
That's hilarious.
A web design company boasting about how they can create great looking websites, but they didn't even create their own website.
The footer says it was made by someone else. Connor wasn't sure what was happening, but thought that maybe companies
were hiring an individual to build their sites, who then would turn the project over to P&D Design
to do the actual work. But he doesn't know. It was just so frustrating to have all these puzzle
pieces and have no idea what the finished picture looks like. But Connor does the only thing he can, but just start emailing companies who P&D claim to have worked with. He would write emails
saying, hey, this is going to sound extremely strange, but I feel like I'm getting my identity
something impersonate. I don't know how to explain it, but can you answer a simple question? Did a
company P&D design build your website? I thought it was a pretty simple ask. Unfortunately, you
know, some people told me some very just rough things like to just mind my own business, ignored
me or refused to help me. Except for one guy that I think after I talked a few emails back and forth,
understood I was a real person and then finally told me, yes, we had never worked with this
company before. So at this point, I'm realizing that I don't think I can trust a single thing
that is going on in this Slack channel, in this email chain.
And the story just continues to grow in these weird angles.
Things are just so weird at this point.
Was the P&D person in the Slack channel actually affiliated with P&D design?
Or were they just impersonating that company too?
So many layers of fakeness going on here and impersonations that it's just really hard to know what's real and who to trust
here. So at this point, I felt like I had done a good deal of research. I'd kind of tracked down
who I thought was involved, what was going on, all thanks to Andrew kind of leaking this information
to me. And I think, holy cow, I have a lot of information to finish my blog post and kind of make a presentation. Connor has tried to reach out to so many people involved,
but then realized, hey, wait, why not reach out to Connor? Not the real Connor, but the fake Connor,
the one who is impersonating him. So he writes to it. Why are you impersonating me?
I'm emailing myself my fake email.
Sure enough, the email account of my fake self responds and just tells me,
I don't remember exactly, but I think they said I look cute or something,
which I think is the strangest thing because I'm fuming kind of at this point
of why someone's using my real name and everything and they're just joking around.
Of course, I add that screenshot to the blog post,
and I think that's what a lot of folks on Reddit and Twitter all like the most,
is just that random screenshot of me emailing myself.
The full response he got back from the fake Connor was,
sorry, but you have a great GitHub and you look cute.
Of course, Connor's first reaction is anger,
but perhaps there's a bit of
information in there that's helpful. Because then I finished that blog post and I think that's where
the story gets even stranger because that blog post just skyrockets to the top of Hacker News
within, I think, an hour of me posting it and my poor little Linode server falls over because it's
never had more than like a thousand hits and it's getting 20,000 at it. What I didn't really recognize with getting to the top of Hacker
News is how many people just offer to join your kind of investigation and search. And then I have
people everywhere just DMing me, messaging me of other similar emails and similar kind of slacks
and messages, but different names. And I was like,
this is a huge story because people are giving me personal examples where they were like an
interviewer. Someone was like, I jumped on a call with someone because they wanted to talk through
it. And this one guy at a random company was like, we were talking to an interviewee who didn't know
anything of why he was on the call or like who he was talking to.
He was asking us questions of why he was there. And I was thinking that's crazy because that
kind of rings a bell. If you don't know anything of why you're joining a call except given a
document a couple minutes before you're supposed to be there, I could see that happening. And then
people are telling me, oh, I live kind of by where P&D Design is, their headquarters.
And they're like, we'll go visit the office for you.
And I was like, well, thanks.
And it starts piecing together some things.
So Connor starts learning all kinds of new things about this mystery from the help of people on the Internet.
It turns out there's a story that Brian Krebs wrote a while ago which talks about faked LinkedIn profiles.
I then get a link to, you know, Brian,
Brian Krabs of just all of his investigative research. And someone links me to one of his
articles where he was like investigating all these fake LinkedIn profiles of like the upwards of 100,
200,000 of them. And I'm thinking this is insane. There's people, all these fake profiles on
LinkedIn. I know they're on Upwork. I was like, the story is huge.
I just unfortunately was one person
that's a bit more connected than I think of others
that may have no idea their information was harvested
to make like a real looking profile
to then use to kind of get a job from.
So this article is interesting.
LinkedIn is where people go to look for jobs
and network and do hiring.
But there's a huge amount of fake profiles being created every day.
These profiles are real tricky, though, because they're like half AI generated and half real.
And they take some real information from certain LinkedIn accounts, but then change a few things on it.
And these fake accounts start creating connections and joining groups.
And then the fake accounts start applying for jobs.
Real jobs.
And it's a real pain in the neck for LinkedIn to try to figure out who's real and who's fake on here.
And the comments on this article are just filled with people saying how they've had a bunch of fake people apply for jobs at where they work.
And recruiters have to do this extra step at verifying people's actual identity.
Which makes me think, how exactly can
someone actually get a job using someone else's name? In the U.S., you have to fill out tax
documents and stuff that if you work there, you can't forge this stuff. And where are the paychecks
going to be sent to? Yeah, I mean, it has to get crazy because at that point, you're thinking,
let's say that goes successfully and you end up hiring a fake me. We can tell from the Slack conversations that had Andrew successfully done this interview,
he doesn't need any technical experience at this point because they say all technical
requirements should just be gathered and given back to the Slack channel,
where presumably a lot of engineers are waiting to do whatever task is requested.
So then I'm thinking at this point, you are basically becoming maybe a project owner,
manager, or someone to just manage kind of engineers behind you, but you're just the
front-facing English-speaking person.
And I think that's a kind of motto in business design that happens and works everywhere.
So I'm thinking, why is this happening in a more
kind of more malicious intent way of hiding that? And I'm thinking maybe this is some upwork thing
where it's easier to hire an individual that's maybe masquerading as a company behind it.
And I'm getting confused because I'm thinking, how are you getting paid? What is kind of, you know,
the legal, what social numbers, like social security numbers are getting used? Like this is just employment at the end of the day. I don't think you can hide it or pay by Bitcoin forever. There has to be something or some real names come out. this, I'm thinking, this must be working because so many people are telling me that they're finding
like cold emails to them to be part of it, or it's happened to them, or they've interviewed
people they suggest, like guessed it happened to. There was a time where I was trying to find
someone on one of these freelance websites to make a video game for me. And they claim to be
American with great coding skills. But then when I asked for a phone call, the story quickly changed
to be a person from India.
And it was also not a single person,
but a whole team of people ready to work on my project.
So what Connor said may be what's going on here.
Get Andrew to be the token American English speaker,
and then they can advertise themselves as American-based
to ask for a higher rate.
Sometimes people are hesitant to join with another company or work with them versus,
you know, doing a quick contract job with a single individual.
But what if you're like working with a single individual who's kind of hiding behind a company
just without your knowledge?
And I think that is maybe what's kind of an attraction on Upwork is you get these individuals
kind of even fake me profiles,
that come in at really low offers of working
and say, I'm a single individual.
I can do all these tasks with a really great resume,
but little do you know if you hire that individual
that you might have an entire dev team behind you
that you just never meet, know, or interact with.
And I think that's my current running theory.
Okay, but back to the email, the, or interact with. And I think that's my current running theory. Okay, but back to the email the fake Connor sent the real Connor.
It said, you have a great GitHub and you look cute.
Okay, let's put aside that look cute part.
The great GitHub is the curious point for me.
Like I said, Connor has contributed code 51,000 times to GitHub
in the last 12 years.
That, I think, is what is great about it.
That alone.
What I mean is you can't go back in time on GitHub and post code.
That is, you can't create an account that looks like the person has been there for 12 years
and has all this coding experience, unless you're spending 12
years posting code on GitHub. So the fact that Connor has been posting code there for 12 years
does in fact make him look like a well-established veteran coder who knows his stuff. And that goes
a long way with job recruiters. I think probably on GitHub, it's probably definitely harder to make
fake ones because you can just look back, I think, on my profile
and see a couple of 10, 15 years of just commit history.
I think you're definitely copying and pasting those.
Even if you took all the repos, you're going to have a pretty empty historic graph.
And maybe that's exactly why.
People just, it's easier just to claim one is yours and talk about it.
Yes, I think so too. That's something you can't
fake easily. A long-standing reputation of pushing code to GitHub is attractive to employers. So that
is exactly why I think Connor got his identity stolen. Someone, I don't know, PND, Maris,
saw Connor's GitHub and liked it, and that's why they took his identity. After Connor posted this blog post,
he gave a talk at a conference in Tampa. And someone who read his blog post came up to him
after the talk and told him another crazy story. He said, to be honest, I've had two jobs and I'm
working two remotely and the other companies don't know. And he had invested in all these like
switchers to jiggle a mouse and use two computers. And this guy's like
saying, I don't think I'm doing anything kind of wrong. I'm just working two jobs at once and
none of the companies know. And I think, holy cow, this guy's just dumping knowledge out to me. And
I was thinking, is this, this whole employment remote is crazy. I stumbled upon this same stuff
too. I recently found a subreddit called r slash overemployed.
And it's all about people who are gaming the whole work from home thing,
having two full-time jobs at the same time.
That is, they go to work from nine to five,
but are working at two different places at the same time.
And neither company knows they're actually spending half the time at some other company.
And yeah, there's articles on this r slash over-employed subreddit that tell you things
like how to look productive when you're not at your keyboard and stuff, like having mouse jigglers
move your mouse around for you, or how to automate some of the tasks to look productive. They also
have listings of which companies are over-employed friendly. One of the top posts there is someone
saying they now work five jobs, bringing in a total of $1.2 million a
year. And here's how I did it. Ask me anything. And while that's crazy, this gives me all kinds
of business ideas. Like, let's say I get a job working remotely somewhere, but then outsource
my job to someone else who wants to do it for half the pay. And yeah, if I could do that,
then why not get another job and outsource that to someone else? And so now I've got all these jobs that I'm doing work for,
but I'm actually not doing the work for them.
Someone else is doing it for me.
I mean, that is clearly unethical.
But I guarantee with the wave of working from home jobs out there that it's happening.
Oh, and let's not forget what happened to John Woo.
I talked with him on episode 119,
and he thinks that someone from North Korea tried applying for a job where he works, who could have very well been trying to get a job there just to steal the cryptocurrency from their company.
Yeah, that's a crazy one, too.
I think one person tweeted me that one of maybe it's just a kind of state-sponsored unlimited budget.
Just see how many kind of companies you can join and then extract information.
So did you ever get to like speak with PND or Maris or whoever and say, dude, what is going on here?
No, unfortunately neither.
I had sent many emails to Maris, the real Maris email, and never got a response.
And I just gave up calling, leaving voicemails with PND.
I sent LinkedIn messages.
I sent more. I kind of even worded things as I just want to calling, leaving voicemails with PND. I sent LinkedIn messages. I sent more.
I kind of even worded things as, I just want to have a good conversation.
But just no response.
Is that where we are today?
Yeah, today I think kind of where I am now is I continue to just research things people give me
and just go through this entirely large list of, I'd say, roughly 100
websites. And I'm just continuing to reach out and find contact information for all of them
to just see if anyone is willing to talk to me on like who built their website, how's the
interaction and all the communication between them and the company to kind of figure out if I can
find any more information besides what I continue to find is just fake emails,
generic documents, and any lack of just true, real information. Because I think
someone paid someone at some point and knows some real, real info.
What a weird time it's becoming, isn't it? I mean, this is just the modern world that we're in now,
where working from home is more popular than ever, and it seems to be ushering a whole new
set of scams. Or are they even scams? I guess if you're misrepresenting yourself, then it is a scam.
Even if you're not trying to trick someone to give you money for nothing, just lying to score
a contract seems scammy to me. I think if you're hiring today, you should be very cautious of the people
who are applying for your position
because they might not be real.
And if they are claiming to be someone,
maybe double check with the person
that they're claiming to be
by reaching out to them separately.
Just be safe out there as our world keeps evolving
and becomes more tricky to navigate.
A big thank you to the real Connor Tumbleson for coming on the show and telling us this crazy story.
You can see what he's blogging about over at connortumbleson.com.
And don't forget, on the website, darknetdiaries.com,
is a link to all the articles mentioned in these episodes, as well as full transcripts of every episode.
This show is made by me, the Cyber Samurai, Jack Recider.
This episode was written and produced and edited by the cheerful Tristan Ledger.
Sound design was done by Garrett Tiedemann.
Mixing by Proximity Sound.
And our theme music is by the mysterious Brickmaster Cylinder.
I was once asked in an interview if I'm any good at Microsoft Office,
and I told them, I excel at it.
And the interviewer asked me, was that an Office pun?
And I said, word.
This is Darknet Diaries. We'll see you next time.