
Is not even theReg safe from the pronoun police :o
> Stu Sjouwerman. He explained that his HR team conducted four video interviews with the candidate, confirmed their appearance matched a photo ..
Cybersecurity awareness and training provider KnowBe4 hired a North Korean fake IT worker for a software engineering role on its AI team, and only realized its mistake once the guy started using his company-provided computer for evil. KnowBe4 'fessed up to the hire in a Tuesday disclosure from CEO Stu Sjouwerman. He explained …
"They" is perfectly appropriate, because the company don't know if the candidate was male, female, or even if they exist.
But maybe elReg needs to start putting content warnings on articles that contain any pronouns, just to avoid scaring readers like OP?
Contrast cell/mobile vs VoIP. If the number is linked to a carrier in the country, it's likely that the phone is normally in the country. (International roaming can get expensive.) But VoIP could be anywhere on the planet.
If you're referring to VoIP phones replacing POTS, I haven't seen much of that; most folks simply drop the landline entirely and use cells/mobiles instead.
Had my landline migrated to VoIP only three or so weeks ago, pretty much all the neighbours have too, my partner had hers done a few months ago and several friends last year.
It's pretty common.
It's also pretty easy to fake mobile numbers and most of the spam,scam "tech support" calls that come through on a 07xxx numbers are not located in the UK
My small town US phone provider went to all fiber optic a few years back. If there is a power outage a battery downstairs keeps the phone connection going for awhile.
So not sure if it's real VoIP or some special protocol over the fiber optic.
That reminds me. I need to make a note to myself to check the battery when I get home. It's a gel cell and one has died already. Might be time to replace the second one.
Mine went VOIP over aa decade ago, the GPON terminal converts fiber to analog RJ-11. Afaik the terminal itself has some software that links up to a network on VLAN 400.
Technically, we were moved to VOIP. However the number is still Malaysian style including having the same area code.
Had a VOIP number in UK & took it with me to Canada.
One mid morning sales call asking if I wanted a contract cellphone & plan in the UK, despite me saying repeatedly my current PAYG Canadian number was costing me $50 a month.
Penny only dropped when their system couldn't recognise the postcode (Similar format to UK) & I went through the address line by line until I got to the province & country.
"I don't understand....this is a UK number!"
It's a VOIP line, a virtual number
"I don't understand..."
You're trying to sell me a digital service, & can't grasp that calls can be made to virtual phone numbers over the internet!
"You've wasted my time! "
You rang me, this number is only known to family & the companies in the UK that need it (I'm not sure if it was on the TPS exclusion list), have a great day!
"...If it can happen to a security awareness company, it can happen to anyone."
I take issue with that.
I would never hire anybody I hadn't met in person.
For a security company to do it is just plain crazy.
Don't tell me you can't get the staff when what you mean is you don't want to pay them the going rate.
KnowBe4 reckons the laptop was sent to an "IT mule laptop farm" – facilities in North Korea or China where fake workers ply their trade, using VPNs to hide their location.
You cannot hide a physical delivery address behind a VPN. Perhaps the North Korea as the final line of the address should have raised concerns?
There are two really easy ways to get around that.
1. The laptop was delivered to an address in the US. The person at that address has been told to get the package and send it to Hong Kong. The person in Hong Kong has been told to send it to Shenyang. Someone in Shenyang gets it and brings it to wherever they want it.
2. The laptop was sent to an address in the US. There, it was set up with a local internet connection and the IP sent to China or North Korea, where someone set up a remote connection to it.
> The scam is that they are actually doing the work, getting paid well
If the "scammer" is actually doing the work, can we get some more of, please?
Maybe in one or two companies whose QA tes we have recently suspected are understaffed (and/or the staff are underperforming).
Ok, not this particular guy, with his penchant for malware.
Just a strange use of the word "scam". Fraudulent ID, yes.[1]
[1] Which raises another question: if they were going to have a video call, why use (pseudo)AI to modify a stock photo? Couldn't find a camera and a blank wall to stand against? Or some people have just fallen for the "AI" hype, even in. N. Korea.
Maybe the identity they used didn't look much like them, but they didn't have an unlimited supply of fake identities that all look like Koreans of the right age (I think this is mostly young males as North Korea hasn't prioritized computer skills until the last fifteen years and at least one of the technology-focused schools is male only). If they're using stolen US identity documents, they may have to take steps to appear to be the person pictured in them.
> If they're using stolen US identity documents, they may have to take steps to appear to be the person pictured in them.
Well, yes, like
>> a camera and a blank wall to stand against
Plus a copy of MS Paint - as capable as using an "AI" to modify the picture of the stolen credentials. More, as Paint doesn't have a habit of adding or removing fingers.
They could modify the picture on the identification documents instead, but if they did that, the picture would no longer match any other pictures of the victim that might be found online. I wouldn't search out pictures of people to check them against the documents, but if someone did, that might make it difficult to get away with an ID that's just had someone else's picture swapped in. Meanwhile, if they have good enough software that they can appear in a video as the person whose real face is on the ID, then that might be less likely to be caught by the employer before someone is hired. This is especially true for differences in age, because if I change out the picture on an identification document for someone aged 23 and they claim to have ten years professional experience and a birth date in line with that, it might be more obvious that they're not who they say they are.
The cost of flying someone out to interview is trivial compared to what you will be paying them over the course of the first year. To not eventually interview in person before making a candidate an offer is not just cheap, it's downright stupid. Especially for a "Security Company". I'd never hire these clowns or knowingly use their products.
He is either rolling in his grave, or laughing his ass off. Oh the irony of this company getting social engineered!
I met him once. I was tasked as his valet to cart around his computer equipment at a conference. He never let the stuff out of his sight. Interesting individual to say the least.
Cheers to the old-school social engineering that he pioneered. Many careers can be attributed to the industry he created through his early life antics.