The one interview question that will protect you from North Korean fake workers Concerned a new recruit might be a North Korean stooge out to steal intellectual property and then hit an org with malware? There is an answer, for the moment at least. According to Adam Meyers, CrowdStrike's senior veep in the counter adversary division, North Korean infiltrators are bagging roles worldwide throughout the …
Insist they come for an in-person interview at some point before extending the offer, even if they will be based half a planet away. Their total salary, including benefits, is going to cost you six figures per year. And you're unwilling to invest a couple of grand at that final interview stage as part of your due diligence? If you get screwed it's entirely your own fault & you should be canned.
"And you're unwilling to invest a couple of grand at that final interview stage as part of your due diligence?"
Who's the "you" in this. Obviously it should be the business but more likely the "you" wanting to perform due diligence as the recruiting manager doing the interviews is not necessarily the "you" who's the beancounter unwilling to invest in travel or the "you" who's the bum-on-seat counter requiring return to office.
"the beancounter unwilling to invest in travel"
My highly educated guess is that it's that very same beancounter than caused the company to look to Poland and other 'outer' countries in the first place; read: lower pay. I very much doubt those very same beancounters would ever agree to spending one thin pence to guarantee the quality of their recruitment - it's not their problem, only that line on the balance sheet matters to these morons.
And why the world is going down the toilet, everything is reduced to money.
"I very much doubt those very same beancounters would ever agree to spending one thin pence to guarantee the quality of their recruitment - it's not their problem, only that line on the balance sheet matters to these morons."
Well then make it matter a reasonably long ten or twenty year prison sentence for everyone of them morons who do not do their due diligence should improve the failure rate. That includes the CEO who allowed the morons to continue such shady practices as well. That will get their attention and lead to some changes.
A) The Polish name might well be from a US citizen.
B) I'm not familiar with the IT industry in Poland but doubt that it would be "outer" in any other respect than it not being in the US.
C) If a job advert is placed globally then a response is as likely to come from Poland as elsewhere without specifically seeking out "outer" countries. OTOH it does, at the cost of the risk of finding a Nork, extend te talent pool.
I suppose a return to office police does protect against this specific problem as well as protecting against finding the widest choice of talent.
The IT industry in Poland is very strong; even the website of the company I work for was done in Poland, a "designer" here in America sold the idea to my boss (without my involvement until after I had to clean up the mess) who outsources all [her] programming to Poland contractors. I found out her 'dirty secret' after the site got hacked and I had to track down the full history - who was hosting it, where, how it was configured and how it was designed.
It's actually quite common, it seems, Poland is an up-and-coming outsourcing business country. Whilst they get paid good money by Polish standards, their pay is but a fraction of what U.S. programmers get paid and significantly less than the rest of the EU as well.
Yea - dealing with the exact same issue with our corporate website that's been outsourced by an "American" company to a seemingly WordPress chopshop outsourcer after digging post-incident.
Their website work isn't bad - but their cybersecurity stance and sanitation is seemingly non-existent.
"Poland is an up-and-coming outsourcing business country. Whilst they get paid good money by Polish standards, their pay is but a fraction of what U.S. programmers get paid and significantly less than the rest of the EU as well."
Given you had mess to clean up, how worthwhile were the savings? With a 9 hour time difference between Warsaw and the US west coast, communicating in real time can be an issue. I've worked on international jobs where the upper-morons don't comprehend time zones and get mad when an answer they wanted from me was something I'd have to ask about from somebody on the other side of the stinking planet that was asleep or off work due to a completely different set of bank holidays. Some months were a real patch work of holidays.
Risk has costs and so does agility. As decisions are always put off until the last minute, is it wise to install an additional day of delay to making changes or applying fixes to the web site?
Exactly right. The security and sanitation was a mess, they left the installation's administration locations as default and therefore easy to hack, plus the coding bugs. I had to get a handle on all that was wrong, figure out solutions and then implement them, all taking quite a bit of time.
"I suppose a return to office police does protect against this specific problem as well as protecting against finding the widest choice of talent."
If the position is being advertised worldwide, the goal is likely to find the cheapest person that can do the work. Bringing them in from out of country would be expensive and time consuming. They would then have to be paid a wage that was worthwhile to sit in a cubicle at world headquarters located in the center of a very expensive place to live.
"In the USA all they do is certify the paperwork looks correct."
Not even that. They attest that they believe that the person signing a document has presented identification the notary is confident is of that person and correct along with certifying the date of the signature. Working as a doorman at a popular bar was good training for a job like that. We got a bounty for every fake ID we could catch so it was worth the effort to get good at it. The bounties were paid tax-free in cash at the end of each night. After college finals, we could bag an extra $100 each (this was some time ago).
Oh? Is he fat? I am sure he is just big boned.
In the more parochial parts† of the US the candidate could easily and plausibly plead ignorance. "What congressional district does he represent?"
How any organisation would trust anyone with its corporate jewels without physically interviewing the candidate and completing the referee and basic background checks is entirely beyond my comprehension.
Probably involves peanuts and the inevitable monkeys albeit North Korean monkeys - the fact that you are receiving champagne output from a beer outlay in this industry of all places must rate as miraculous as wine from water.
† which parts aren't? Answers on a rollling paper.
"How any organisation would trust anyone with its corporate jewels without physically interviewing the candidate"
If you can recruit from the whole of the USA and don't have to supply a desk at your office, that gives you more developer for your buck
Flying someone cross continent is expensive and you want the economize on employee costs. It is also a drain on candidates.
In short, for low level jobs, that can be done remotely, it doesn't pay to fly candidates around. Any "ideal" candidates within commuting distance will already have been hired.
It benefits both parties. People in "remote" areas have a choice of jobs without having to move around the country and companies have a wider choice of candidates.
It is up to the company to ensure that the selection process is done well.
> Flying someone cross continent is expensive
Not as expensive as employing a Nork will turn out to be....... Besides, flying somebody out costs a few grand at most; peanuts from a six-figure salary and employment costs.
In short. Get real. Think of it as a *basic* security measure.
"Pretend to be a legit company, fly somebody out for a phony job, then kidnap them?"
It can be, but it would be more difficult to pull off when the job is a more complex professional posting. If I was going back and forth with a company looking to hire me to do avionics, if their questions were way off the mark as they quizzed me to find out if I was up to scratch, I'd really wonder about whether I would want anything to do with them. I'd also want to talk with somebody other than HR before taking the time to do an on-site interview. (in my example, there would be ITAR issues so traveling to another country is a problem)
"Think of it as a *basic* security measure."
The way around that is for the other side to have professional applicants that will travel to do the in-person interviews and take any tests. From then on, somebody else will be working the job unless there's a requirement for some face time again. The patsies will be kept as "clean" as possible. The tactic of registering if somebody is looking at other screens or to people giving them prompts can be circumvented too. I'll leave that as an exercise for the student (hint: not AI).
All you need to do is require that the employment contract be physically signed and notarized. Email them the contract with a pre-paid return shipping label and tell them to go to their local notary public. It's not fool proof but will weed on all but the most effective criminals!
No Icon so I can't tell if you're being serious or funny.
A week ago I went to the equivalent of a "public notary" in my country to get a copy of a document certified (they stamp and sign to say it is a faithful copy of the original). I didn't even show the original, he just stamped whatever I put in front of him.
I'm afraid your idea is more than "not fool proof", it is completely ineffectual.
"It's not fool proof but will weed on all but the most effective criminals!"
It's not that hard to be a notary. Study for the test and pass a background check. If I did that and mainly did legitimate work, I could also offer special services on the side and consult about the quality of the documents I would be required to examine. PRNK is well known for high quality forgeries so I expect they could furnish documents that are good enough for a notary even if they would have problems being presented to the FBI or other agency with more resources.
It's not that hard, but it's reasonable money for a job with no heavy lifting. Why would you go to all the trouble of getting into that business (there are a few hoops to jump through), then jeopardise everything by playing silly buggers on the side? Bearing in mind that business will inevitably bring you into contact with criminals and people who think like criminals, who are inherently not the most friendly or trustworthy people to deal with.
Damn silly thing to do.
He's doing better than the previous 14 years showers of shite
It's a low bar to clear though. That said, I prefer my politicians dull and effective rather than flashy and expensive
When it comes to politicians it's almost always a matter of holding your nose and picking the least worst one, but avoiding the obvious "travelling medicine and faith healer show" is generally wise, along with the snake oil they peddle. Oratory skills are in no way indicative of being a good manager or planner
[see if the interviewee laughs at these]
Kim Jong Un is *SO* fat...
* he needs both hands and an electric urethra detector in order to pee
* You can tie his moobs into a windsor knot
* his inflatable sneakers need an additional 42psi
* He gets pulled over at weigh stations along the highway
* The gravitational pull of the moon is tidal locked to him
* Getting too close to him causes time dilation
* Slapping his ass causes aftershocks
* Insects get lost for weeks in his butt crack
* Every chair he owns is the width of a 'love seat'
* whenever they drive him around, the car has to have double springs on the side he rides in
* He makes Eric Cartman look anorexic
* Livery stable horses run away in fear
* Laughing Buddha statues call him "fatso"
[and I haven't even started on his HAIRCUT!]
« "One of the things that we've noted is that you'll have a person in Poland applying with a very complicated name," he recounted, "and then when you get them on Zoom calls it's a military age male Asian who can't pronounce it." But it works enough that quite a few score the job and millions of dollars are being funneled back to North Korea via this route. »
So the person being interviewed can't pronounce their own name, how is that not an immediate red flag that ends the interview? These companies must be pretty desperate to fill the position to overlooking things like that
If you ask someone their name and they tell you something, you've got to assume that's how they pronounce it.
Many yanks have Irish names, both given and surnames but pronounce both incorrectly by Irish standards. I imagine the same is true for Polish names.
They could also ask the applicants to pronounce the names of a few cities from the region they claim to be living in, someone who's supposedly Polish being unable to pronounce Polish cities or struggling with basic Polish words would indicate something's not right
This post has been deleted by its author
Never mind Irish names, they can't even pronounce "Colin", "Craig", or "Graham" properly. And don't get me started on any name that ends in "-stein".
"Many yanks have Irish names, both given and surnames but pronounce both incorrectly by Irish standards. I imagine the same is true for Polish names."
If they come straight out and pronounce it confidently, that's different than struggling with it or being seriously off the mark. It's like a professed Welsh person sounding an L for ll in a word.
"One of the things that we've noted is that you'll have a person in Poland applying with a very complicated name," he recounted, "and then when you get them on Zoom calls it's a military age male Asian who can't pronounce it."
I'm not quite sure how y'all gonna manage with this one. Many of us over here will still remember a famous Polish trade unionist who was apparently named "Lurch Wallesa".
I've commented on this before - I'll comment again:
Why the assumption that the specific type of recruiters that would recruit in these specific conditions care that much about NOT recruiting a Nork spy ?
- A top notch company will have top notch recruiting practices, which would make such an infiltration impossible.
- A crappy company with crappy recruiting practices will be looking to piece meal deliver a crappy product. A "Champagne from the beer tap" employee, as described above, would be a bingo for them, and they'll dig their heads in the sand stories deep to be able to exploit such an opportunity. That the money is going to eventually work against their country and society would cause but a chuckle. Confronting them further will unleash a counter-barrage of whataboutism. At the end of the day, they'll claim they didn't know, and being the victim.
- A semi-crappy company with semi-crappy practices ? Whichever way the wind blows.
In all events, if the recruiting practices are wonky, they would have worn out the recruiters themselves enough to make them WANT this to happen and close their eyes each step of the way, or not caring altogether.
- A small top notch company that actually has to go through such practices ? Errr... Don't the Norks have enough money to have created, own, and run these from the beginning and from the top, in the first place ?
And I'm not even scratching the surface on recruiting agents that would do 90% of the prescreening fighting for a buck, then dumping the candidate to a lazy and/or incompetent manager as "This is the perfect one".
"Don't the Norks have enough money to have created, own, and run these from the beginning and from the top, in the first place ?"
A small company that's easier to get someone into helps to create "legends" that gain cred to use when they move on to bigger companies. A verifiable resume with a good work history will help gloss over some inconsistencies.
...is that once a person is beyond the initial selection and a viable candidate:
1, insist upon an in-person interview at the business premises.
2, give them very restricted access to company systems in the beginning.
3, related to 2, include a honeypot to see if they go poking around where they shouldn't.
Maybe the FBI, rather than warning about Norks, ought to be asking some serious questions about what sort of company would employ a person sight unseen (no, a video call doesn't count) and send them company hardware (potentially to a completely different address) and give that employee unfettered access to company systems?
I'm wondering if my daughter had an in-person interview given that the company is almost entirely remote working - she certainly hadn't seen the UK office then and I'm not sure whether she's seen it now or even if it exists. It would certainly be unacceptable to use anything other than company computers for the information she handles.
> I'm wondering if my daughter had an in-person interview given that the company is almost entirely remote working
Same here during Covid my daughter had a totally remote interview and laptop+monitor delivered to our home, mind you we are close to the head office and she did have to provide quite a bit of proof of who she was.
"1, insist upon an in-person interview at the business premises."
I'm not convinced that being at the business premises makes that much of a difference. It might be easier to interview several candidates at a trade function where even the company might be bringing people in from outer offices that could participate in the interviews. It could be a test too. If I were asked if I was going to be attending the NAB show, as a photographer, I should know what that is. I didn't go this year as it had been slow..... except for a bunch of bookings that week. It's not as specific to the things I do these days, but there's people I like to touch base with. If I said I wasn't going and instead going to a different show that was more relevant, that might be a noteworthy response to a crafted question.
Apparently congress has been sent on extended 'gardening leave' via executive order from the Führer/President/Great leader Golden^ One !!!
They will be advised when they are needed next via telepathy ... another of the 'Golden Ones' Bigly powers !!!
^[Sometimes mistaken for 'Orange' due to the light being 'misread' :) by cameras etc !!!]
:)
Employing people unseen and without sufficient background checking is asking for trouble. In the example given, it'd be easy enough to check: there'll be a Polish support group within reach who would almost certainly welcome a few corporate bucks in exchange for a quick chat in their native tongue with this 'valuable candidate'. Let's see how quickly a North Korean can pick up that particular lingo!
I'm assuming the glorious C-suites that fell foul of this 'hijacking' are the very same people who discover they have rich relatives in Nigeria who inexplicably die in car wrecks. Perhaps El Reg would be kind enough to list them: I've got a couple of bridges that I need to get rid of...
"In the example given, it'd be easy enough to check: there'll be a Polish support group within reach who would almost certainly welcome a few corporate bucks in exchange for a quick chat in their native tongue"
It could be worth a negotiated fee to go through a professional local recruiter.
Perhaps I should pass on some of the emails I get from people with impeccably Anglo-Saxon names offering all sorts of skills such as web-site development, mobile development, webapps etc. They arrive at the same address as the emails telling me Elon Musk says I shouldn't pay my electricity bill and always from gmail addresses.
Quite apart from the obvious "Who's going to hire someone sight unseen to handle sensitive code or information?" question (because, let's face it, there are people dumb enough to do this out there) the obvious question is "Why are we taking this inane bit of propaganda seriously?". Many countries have lese majeste laws, some actively enforced (if you don't believe me, try it in Thailand...). But the implication is that the poor DPRK peasants are starving while Kim is living it up off the fat of the land, something that might well be true but hardly isolated to North Korea.
Just remember that we're paying the people who come up with this stuff. Its insultingly naive but, unfortunately, not untypical these days.Its like our entire government and its institutions have been taken over by a low grade tabloid that dabbles in titillation and rumor and has a target reading age of eight.
It sounds like you're rather missing the point of the article. It's about North Korean state-sponsored cybercrime. The fatness of the supreme leader, while mentioned in one paragraph, is not the subject of the article. Really not clear how you get from The Register quoting something a VP from CrowdStrike said on a conference panel to "our entire government and its institutions have been taken over by a low grade tabloid."
"Using that same logic I figure it's ok to round-file any CV/resume with pronouns on it"
I would. It would scream to me that I'm seeing a person on a hair trigger with a blue-haired attorney on speed dial. I don't need that sort of grief.
All fine and dandy,but why is it just north korea? Why does a normal US citizen have to compete with what could be several people working together to score the job from someplace thats not NK but exports its people far and wide?
USA has already gone defcon1 due to basically outsourcing any decent job to citizens of the world.
Things like linkedin are just a portal to making this easy. North Korea may as well have invented it.
I bet you didn't get this issue before with companys doing their own recruitment or using agents they trusted. You also had a more balanced workforce of happy vorkers,instead of various versions of mr spock.
Sadly the end result of it all is the lunacy you see in the USA.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
