Intelligence Bulletin – India Hiring Proxy
September 18, 2018
On June 4, 2018, Optiv gTIC Human Intelligence (HUMINT) cell contacted an India-based individual providing interview-proxy services for job applicants in the US and elsewhere. The individual provided details of his services, pricing structure, areas of expertise, as well as a link to his Google Drive where he stored videos of previous interviews as a “proof-of-concept” of his services. This type of service is assessed to be common practice and poses a risk to information security organizations due to the risk of unqualified candidates being improperly hired.
- Proxy-interview providers are a common service which enables placement of candidates into job positions for which they are not qualified
- The “proxy” stand-in performs the interview on behalf of a remote employee over video with hiring managers, who often do not see the actual candidate applying for a remote position
- The “proxy” stand-in in this particular case provided a list of services, his areas of expertise, pricing, as well as special services for female applicants
- In speaking and writing, the proxy has native proficiency in Hindi and intermediate-level proficiency in English, sufficient enough for interviewing and job functions
Threat Actor and Technical Information
Optiv gTIC’s Human Intelligence (HUMINT) reached out to a potential threat actor that was believed to be involved in providing proxy-interviewing services. Proxy-interviewing services are where a potential job candidate, usually when applying for a remote position, hires a proxy to sit through a job interview and pretend to be the candidate. This type of service is often called upon when the actual candidate does not possess the required skills for the role or does poorly during the interview process. The candidate provides the proxy with details such as the job description, their resume, date(s) of the interview, and the names of the hiring managers who will interact with the proxy. The proxy charges the candidate based on the total number of hours spent reviewing and preparing for the interview as well time spent during the actual interviews.
The initial contact took place over WhatsApp messenger when Optiv gTIC’s HUMINT representative sent a message to the proxy for details of their services. During the initial contact, gTIC’s HUMINT representative provided basic information including name, email address, location, and the name of the company with the open role.
The proxy actor’s name and phone number served as leads in follow-on research. It was determined that the proxy actor is also an online instructor for program and web application development (“dev ops”). “Corporate trainer” is assessed to be a reference to their proxy-interviewing service, according to their personal LinkedIn page.
Figure 1: Proxy Interviewee’s LinkedIn Page
During the WhatsApp conversation, the gTIC’s HUMINT representative asked about pricing, other services that could be provided, and the proxy’s skillset to ensure success in the interview. The proxy provided two URLs, one that linked to their YouCanBookMe page which included pricing information, scheduling information, and a list of skills and experiences that the proxy was familiar with and could present in interviews. The other URL was a Google Drive repository of previous interviews. The URLs for these pages were passed on to Optiv’s Malware and Countermeasures (MAC) team for further analysis as well as source of any pertinent screenshots and content. Screenshots of the YouCanBookMe page and sample interview videos were extracted from the Google Drive repository.
The proxy confirmed that the Google Drive URL was temporary and changed/updated frequently (NFI). Due to this limitation, only a handful of videos were downloaded before the URL expired and the connection was lost; however, the data collected was sufficient to observe and assess the proxy’s methods and tactics during their clients’ (candidates’) interviews. The videos obtained from the Google Drive were not labeled with any identifiable information to indicate the name of the candidate or the company with which the interview was taking place.
Figure 2: YouCanBookMe Page
Figure 3: YouCanBookMe Page, cont.
Figure 4: YouCanBookMe Page, cont.
Upon providing all pertinent information over WhatsApp messenger, the proxy attempted to call gTIC’s HUMINT representative. A gTIC HUMINT analyst answered the phone to continue to build rapport and establish confidence with the proxy actor. Based on this conversation, it was determined that the proxy was attempting to validate the trustworthiness of the analyst and to confirm identity as well as services being inquired over WhatsApp. In addition the proxy spoke to gTIC HUMINT analyst in Hindi and inquired about their place of birth, when/why they moved to the US, their current location, and current education. Proxy expressed interest in working with HUMINT analyst and was open ended in disclosing additional information as needed.
Preliminary observations of the videos pulled from the Google Drive identified the proxy actor as well as interviewing companies, which included both US and India-based companies. A large US-based cable and communications company was identified as one of the companies for which a candidate hired the proxy to sit-in for their interview.
The improper hiring/placement of job applicants by proxy services will continue to pose a threat to information security companies, as well as any organization with information technology departments, as this activity is viewed as an “accepted” type of behavior in certain communities and cultures. This type of interview-as-a-service activity is likely active and prevalent from countries other than India, which increases the landscape of this type of threat. Improper placement of candidates by these proxy interviewees can result in a reduction in productivity due to placing inexperienced or unskilled candidates into more advanced-level positions for which they are not suited. This practice also allows infiltration and access to sensitive company information and systems by insiders that may have malicious intent.
Although it is difficult to prosecute or eliminate this type of service completely due to its “acceptance” and likely prevalence in other countries, organizations are advised to:
- Ensure video interviews, especially for remote employees are followed up by in-person interviews by the actual hiring managers and reporting managers of the candidate
- Any photo identification or copies of video interviews should be shared internally with appropriate parties and need-to-know interviewers to ensure the same individual is sitting through all sessions