🎯Basically, companies need to be careful about hiring remote IT workers to avoid fraud.
What Happened
The shift to remote and hybrid work has changed how organizations hire. This new model has made it easier for threat actors, such as Jasper Sleet, to exploit vulnerabilities in the hiring process. By using stolen identities and AI, they can pose as legitimate candidates to gain access to sensitive information.
Who's Affected
Organizations using online identity verification and HR SaaS platforms like Workday are particularly vulnerable. These platforms expose job postings to external sites, making them prime targets for attackers looking to infiltrate companies as fake employees.
Threat Actor's Tactics
Jasper Sleet, a North Korea-aligned threat actor, has been observed accessing recruitment systems to identify job openings. They analyze job postings to create convincing fake personas, which increases their chances of being hired. Once hired, they can access internal systems and sensitive data, posing a significant risk to organizations.
Activities in Pre-Recruitment Phase
During the pre-recruitment phase, threat actors utilize external career sites to discover job openings. They access Workday's APIs to submit applications, often using multiple external accounts to appear legitimate. This behavior can be detected by monitoring API call events and recognizing patterns that deviate from typical applicant behavior.
Activities in Recruiting Phase
In the recruiting phase, suspicious communications may occur via email or conferencing platforms like Microsoft Teams. Organizations can track these interactions to identify potential threats early in the hiring process. Using tools like Microsoft Defender, they can flag unusual activity and investigate further.
Activities in Post-Recruitment Phase
Once hired, threat actors can access organizational resources through legitimate accounts. They may set up payroll and access sensitive applications, leading to data theft or further compromises. Monitoring for alerts related to new hires, especially those showing signs of impossible travel, is crucial for early detection of fraudulent activity.
Mitigation and Protection Guidance
Organizations should leverage telemetry from multiple data sources to monitor for behavioral anomalies in candidates. Using Microsoft Defender for Cloud Apps, they can gain visibility into external user activity and investigate any suspicious behavior. Educating employees on recognizing social engineering tactics can also help in identifying fraudulent candidates.
Conclusion
As remote work continues to evolve, organizations must adapt their hiring processes to mitigate risks associated with identity fraud. By employing robust detection strategies and monitoring tools, they can protect themselves from infiltrating IT workers and safeguard their sensitive information.
🔒 Pro insight: Monitoring API interactions and unusual hiring patterns can significantly reduce the risk of identity fraud in remote recruitment.
