Dev targeted by sophisticated job scam: 'I let my guard down, and ran the freaking code' It all started with a LinkedIn message, as so many employment scams do these days. A recruiter claiming to work for a blockchain firm called Genusix Labs invited Boris Vujičić, a web developer based in Serbia, to apply for a full-time, remote developer job with the company. Vujičić is no stranger to recruitment scams. He told …
My abiding impression is that 95% of that tribe aren't the sharpest tools. Even the 5% are often so narrowly focused even to the point of dysfunction.
In short: not too difficult; even a basic social engineering is likely to succeed as these chaps are usually as un·acqainted with the "social" as they are with the "engineering" in software engineering.
That’s true but his point about delaying the attack is also a good one. You’re hired, you’re all done - maybe you’ve worked for them for a couple of weeks. Are you still doing everything in a VM? Because VMs that aren’t headless are horrors to work in.
As a consultant I always did everything in a VM, except for my first couple contracts around the turn of the millennium. For several reasons:
1) I boot Linux on my laptop, and most companies are Windows based
2) I always owned laptops with 16 or 17" screens, companies never distributed laptops with screens that big
3) By keeping my "work" stuff completely separate I didn't have to worry about breaking any NDAs by keeping stuff I shouldn't, nor with accidentally giving them access to my personal stuff (insert your favorite stories about someone attaching a "personal" photo to a work email)
4) Since my personal email was a quick switch between environments away I never had to use their email for anything personal, ever
5) when they'd provide a laptop I'd P2V it and return theirs, they were usually pretty happy about having one less laptop out in the field - sometimes I even got them to send me a VMware disk image rather than a laptop and save us both some bother
I never had any concern with security since while it was my personal laptop it was used only for my consulting business so really the only personal stuff on their I wouldn't have wanted them to have access to would be stuff like invoices from previous clients. I suppose it had ssh keys for passwordless login to my PC at home that did have the real personal stuff.
I can't imagine someone having a personal laptop that they used for stuff like banking or stored their crypto wallet and downloading and installing software packages or running random scripts on it they provide. Anyone dumb enough to do that isn't employable in IT beyond "guy who changes toner cartridges in office printers".
In hindsight I'm sure he's asking the same question. That's why it's relevant to consider the approach, what was done to put him at his ease, and how to be more wary if it happened to you.
There's a lot of friction with VMs. It's not a simple or fast process to spin one up with all the tools you need and keep it around. You have the choice of taking a few hours to install and configure the software you already have on the base machine inside the VM or keeping gigabytes of VM disk images around for next time, the latter more annoying on a laptop and a Mac where upgrading internal storage is difficult or impossible. If you do it lots of times, you may have base images that speed up some of this, but it's still an annoying process that even those knowledgeable don't frequently do unless they think they need to. That doesn't lessen the need for doing it, but I hope we can be honest with ourselves about how often we incur this pain; do you go through this every time you run any open source code?
The benefit of a story like this is as a reminder that preparing a VM for situations like this could be useful and as a warning about how far scammers can be willing to go. Neither the article nor the victim claimed this was impossible to prevent or detect.
Anyone, anyone who is a seasoned developer should know to keep business and personal machines firewalled. There is no excuse for not doing this.
Everyone should have at least 2 physical machines (or 2 VMs), one for personal use, one for development and I keep personal and banking on different VMs, different email accounts. There is no reason in the world not to do this - except if you are lazy, in that case you deserve what you get. Use VLANs, if possible. Look up "DMZ", look up pi-hole+whitelists. The tools are there, one just has to use them.
Yes, VMs are not perfect and zero exploits exist for escaping one, but if they get to the host, and nothing is on the host, but other VMs, then the hackers still have a tough job ahead. And don't use Windows as the host, ever, ever, ever. Linux or *nix.
I would have more sympathy for someone who's not a software developer, but if you are...
Don't get me started on banking apps on mobile phones...
On a (StartPage) search using the name of a convicted criminal, it threw up a link to their Linked-In profile. Seems like being detained at His Majesty's pleasure does not give one time to erase some of one's traces. The conviction was not for being a scammer.
> A recruiter claiming to work for a blockchain firm
Well there is your problem in the first place. If you lie down with dogs you wake up with fleas.
Or to update the idom for the Blockchain era... If you write code for scammers you wake up scammed.
Serves the guy right, he clearly has no ethics.
https://nitter.net/adibhanna/status/2047032767796412791 (before the series of tweets by Turshija).
Given the possibility/likelihood that Dean, Jon and others are victims of hacks, it seems deeply unfortunate that they were publicly named by Adib and others.
https://nitter.net/AaronAfterAll/status/2047055130403496414
"… I'm willing to wager fraudsters are backdooring legitimate accounts to pull this shit off."
This post has been deleted by its author
Hubris?
There are so many comments that say somenthing along these lines, similar with comments on any report of people being scammed. "Serves them right for being stupid" seems to be the consensus - it feels so good to write this, doesn't it? Until you get bitten yourself. I didn't - so far. I'm well aware that this might happen to me, even intelligent people are pretty stupid often enough, and I hope we are all aware enough of this so we do not stop paying attention.
The OP was tricked, social engineering, the biggest attack surface there is.
