Google on Wednesday evening announced that North Korean hackers have continued to target information security professionals with fake job offers, perpetuating a campaign that previously involved the use of a zero-day browser exploit. This recruitment scam creates an unusual problem for security pros trying to inoculate their office from such threats: How do you start a conversation with employees about them seeking work elsewhere?
"If a target were successfully phished as a result of this campaign, they likely wouldn’t report it to their employer if they realized what happened, since the genesis of the attack was looking for another job," said Hank Schless, senior manager for security solutions at Lookout.
North Korean hackers have been using job offer-type lures for a while in their social engineering campaigns targeting various industries. The campaign just detailed by Google involved a fake security firm with a credible-looking website ("Securielete") and phishing messages across multiple platforms, including LinkedIn. Schless said that even security pros, among the best suited to filter out scams, can fall for attacks such as this.
Network defenders that are looking to turn this latest campaign into a teachable moment, however, should be careful with how they approach the issue. There have been recent controversies over the use of "insensitive" phishing simulation exercises, like sending fake phishing emails offering bonuses, only to pull the rug out from anyone who clicked on the offer. Job offers could create a similar dynamic -- employees may not be appreciative of a boss that tests whether workers would be willing to open an email offering them a new employment opportunity.
A more direct approach is to have difficult conversations about phishing while acknowledging employees' discomfort with the topic, while encouraging open communication.
"We do better to approach difficult conversations transparently and in the head on way then to be opaque, or oblique about it," said Kevin O’Brien, CEO of email security firm GreatHorn. "You can say: 'We don't want you to leave. But you're human, you're probably not going to spend the rest of your life working for this business so at some point that process may involve speaking to a recruiter. And if you do, we want you to be aware of this risk that exists, because they are going to prey upon something - a desire for more money, frustration with your job, an opportunity that seems incredible."