The FBI's Internet Crime Complaint Center warned enterprises of a growing trend of adversarial job applicants using stolen personal identifiable information, and potentially even deepfakes, to obtain work-from-home positions in IT, programming, data and software.
"Notably, some reported positions include access to customer PII, financial data, corporate IT databases and/or proprietary information," said the FBI alert.
The malicious job applications contain two alarming elements: Applicants are stealing identities to obtain video job interviews and in those interviews, it appears the video is being manipulated to conceal the applicant's identity. Video doesn't appear to match the sound — including when an applicant coughs or sneezes — and dialog appears to be run through some kind of voice changer, which the FBI says may be a deepfake.
In May, the FBI and Department of State warned that North Korean operatives were generating revenue for the Kim regime by obtaining remote posts in Western countries. The FBI did not link the two warnings.
Joseph Blankenship, vice president and research director for security and risk at Forrester, told SC Media that while the deepfake element is most likely to generate headlines, job applicants engineering roles as insider threats using stolen personally identifiable information may be more insidious.
"If someone has managed to successfully imitate somebody with their PII and can answer questions about them, to me that says maybe the background check alone isn't going to be enough to positively identify somebody," he said.
Use of stolen identities is made much easier in the work-from-home era, where the entire lifespan of a job, from hiring to retirement, can be done without an in-person presence. Blankenship notes that he has hired five people during the pandemic whom he largely knows digitally.
"I have kind of joked with one of them that as I knew they were an avatar, not actually a real person," he said.
This is not an entirely new threat. It does, however, take a new spin on an old threat. China, for example, has planted agents at firms to steal intellectual property in the past. But, in those cases, jobs were office-based, and workers were not using stolen identities.
"This may necessitate that a CISO has to maybe get out of their comfort zone and go and work with the HR and recruiting teams, to help them understand the threat," he said. "We have to find ways to prove that the person is who they say they are."